Web
Nmap discovered a Web server on the port 443 of the BLUEPRINT(10.10.136.191) host.
The running service is Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
┌──(kali㉿kali)-[~/archive/thm]
└─$ curl -k -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.5
Public: OPTIONS, TRACE, GET, HEAD, POST
Date: Sat, 05 Jul 2025 09:53:03 GMT
Content-Length: 0
┌──(kali㉿kali)-[~/archive/thm]
└─$ curl -k -I http://$IP/
HTTP/1.1 404 Not Found
Content-Length: 1245
Server: Microsoft-IIS/7.5
Date: Sat, 05 Jul 2025 09:53:07 GMT
Webroot
Directory listing is enabled.
/oscommerce-2.3.4/
This appears to be mirroring the other web server on the port 8080
osCommerce
An osCommerce instance at the /oscommerce-2.3.4/catalog/ endpoint.
CSS is not rendered as it’s pointing to localhost
Vulnerabilities
┌──(kali㉿kali)-[~/archive/thm/blueprint]
└─$ searchsploit osCommerce 2.3.4
-------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------- ---------------------------------
osCommerce 2.3.4 - Multiple Vulnerabilities | php/webapps/34582.txt
osCommerce 2.3.4.1 - 'currency' SQL Injection | php/webapps/46328.txt
osCommerce 2.3.4.1 - 'products_id' SQL Injection | php/webapps/46329.txt
osCommerce 2.3.4.1 - 'reviews_id' SQL Injection | php/webapps/46330.txt
osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting | php/webapps/49103.txt
osCommerce 2.3.4.1 - Arbitrary File Upload | php/webapps/43191.py
osCommerce 2.3.4.1 - Remote Code Execution | php/webapps/44374.py
osCommerce 2.3.4.1 - Remote Code Execution (2) | php/webapps/50128.py
-------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsosCommerce 2.3.4 suffers from many vulnerabilities, including an unauthenticated RCE.