This Metasploit module exploits a PHP object injection vulnerability in Magento 2.0.6 or prior.
0f4a54fd7327964f36b2aa61027c88bb06c66470231cb05fee46900549f0def5
Magento versions prior to 2.0.6 suffer from an unauthenticated arbitrary unserialize to arbitrary write file vulnerability.
aabdfe5b303d6f19ce1fc498c50679f141c6beebfcd6c15c192c8f28b94a86a8