sudo nmap 10.10.153.99 -sV -sS
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
Starting out we check port 8080 and find that a web server is running. The root page presents us with an index page where we see the commerce system oscommerce 2.3.4 is installed.
A simple preliminary check with searchsploit shows multiple vulnerabilities with this version.
searchsploit oscommerce 2.3.4 -w
Searching for Remote Code Execution exploits on GitHub shows a PoC from the user nobodyatall648.
Which has the following definition for the exploit:
"Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php".
Using the example provided on GitHub we clone the repo and run with the following syntax:
