If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject
PHP code into the config file and then simply executing the code by opening it.
enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page is already installed and does not attempt to do any authentication. It is possible for an attacker to directly execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject PHP code into the config file and then simply executing the code by opening it.
enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
I'v used python to try it import requests base_url = "http://localhost//oscommerce-2.3.4.1/catalog/" target_url = "http://localhost/oscommerce-2.3.4.1/catalog/install/install.php?step=4" data = {'DIR_FS_DOCUMENT_ROOT': './'}
the payload will be injected into the configuration file via this code
' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
so the format for the exploit will be: '); PAYLOAD; /*