Share
## https://sploitus.com/exploit?id=AC281743-1B22-56CB-8A51-4629F31C91B4
# CVE-2025-54236 - Magento Remote Code Execution Exploit

## Description

This script exploits a potential Remote Code Execution (RCE) vulnerability (CVE-2025-54236) in Magento 2. The vulnerability allows an attacker to upload a malicious file (likely a PHP webshell) and then trigger code execution by manipulating the `savePath` configuration during order creation.  This exploit leverages a combination of file upload, session manipulation, and request crafting to achieve RCE.

**Important:** This exploit code is provided for research and educational purposes only.  Using this code against a system without explicit permission is illegal and unethical.

## Prerequisites

*   **Python 3:**  The script is written in Python 3 and requires a Python 3 interpreter to be installed.
*   **Python Libraries:** The following Python libraries are required:
    *   `requests` (for making HTTP requests)
    *   `subprocess` (for running external commands, specifically `phpggc`)
    *   `secrets` (for generating random strings)
    *   `argparse` (for command-line argument parsing)
    *   `clogsec` (logging library -  requires installation or modification to use standard logging)
*   **phpggc:**  The `phpggc` tool is required for code obfuscation.  Download and ensure it's executable.  You might need to compile it from source if a pre-built binary is not available.  [https://github.com/LeakyNun/phpggc](https://github.com/LeakyNun/phpggc)
*   **Magento 2 Instance:** A vulnerable Magento 2 instance must be accessible.
*   **Web Server Access:**  The script assumes the ability to write to a specific directory on the webserver (defined by `PAYLOAD_OUT`).

## Installation

1.  **Install Python Libraries:**

    ```bash
    pip install -r requirements.txt
    ```

2.  **Download and Build phpggc (if needed):**

    ```bash
    git clone https://github.com/LeakyNun/phpggc
    cd phpggc
    make
    sudo install phpggc /usr/local/bin/phpggc # Or another location in your PATH
    ```
    Ensure `phpggc` is in your system's PATH.  You can verify this by running `which phpggc`.

## Usage

```bash
python exploit.py --host  --payload_in  --payload_out 
```

**Arguments:**

*   `--host`: The URL of the target Magento 2 instance (e.g., `http://example.com`).
*   `--payload_in`: The path to the input payload file (e.g., `/tmp/payload.php`). This file should contain the PHP code you want to execute on the target server.  A simple example would be ``.
*   `--payload_out`: The path to the output exploit file on the target server (e.g., `/var/www/html/magento2/pub/exploit.php`).  This is where the obfuscated payload will be written.  **Ensure the web server has write permissions to this directory.**

**Example:**

```bash
python exploit.py --host http://example.com --payload_in /tmp/payload.php --payload_out /var/www/html/magento2/pub/exploit.php
```

## Workflow

1.  **Payload Generation:** The script uses `phpggc` to obfuscate the input payload (`PAYLOAD_IN`) and writes the result to `PAYLOAD_OUT` on the target server.
2.  **File Upload:** The script uploads a file (identified by `FORMKEY` and `SESSID`) to the Magento instance.
3.  **Order Creation:** The script creates an order that triggers the vulnerability by manipulating the `savePath` configuration. This configuration is designed to save files in a specific directory, but can be crafted to include the uploaded malicious file.
4.  **Code Execution:**  By accessing the uploaded malicious file through the web browser, the attacker can execute arbitrary code on the target server.

## Important Considerations

*   **Permissions:**  Ensure the web server has the necessary write permissions to the directory specified by `PAYLOAD_OUT`.
*   **Firewalls/IDS/IPS:**  This exploit may be detected by firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS).
*   **Vulnerability Confirmation:**  This script is based on a potential vulnerability. Before using it, confirm that the target Magento instance is indeed vulnerable.
*   **Ethical Considerations:**  Only use this script against systems you have explicit permission to test.  Unauthorized access to computer systems is illegal and unethical.
*   **Logging:** The script uses a custom `clogsec` logger.  If `clogsec` is not available, consider replacing the logging statements with standard Python logging.

## Disclaimer

This script is provided for educational and research purposes only. The author is not responsible for any misuse or damage caused by this script. Use this script at your own risk.