## https://sploitus.com/exploit?id=CB10FBE6-16D1-57F7-A522-30AED2746439
# CVE-2022-24087-RCE and CVE-2022-24086-RCE
## CVE description
CVE-2022-24086 and CVE-2022-24087 - improper Input Validation vulnerability in contact form Magento Open Source and Adobe Commerce - has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.
## Vulnerabile versions:
Magento Open Source / Adobe Commerce - 2.3.3-p1 - 2.3.4
Magento Open Source / Adobe Commerce - 2.3.4-p2 - 2.4.2-p2
Magento Open Source / Adobe Commerce - 2.4.3 - 2.4.3-p1
## Analysis
CVE-2022-24086 was a critical, zero-day security vulnerability that affected Magento shops. The vulnerability was reported in limited attacks. Another flaw, CVE-2022-24087, has the same severity level and similar vector of attack.
After some research I found no legit and working PoC to demonstrate a severity of that flaw from Adobe and I decided to make my own.
Reverse engineering of official and unofficial patches I found that in /app/code/Magento/Email/Model/Template/Filter.php input was not properly cleared and inability for the platform to recognize a combination of character types during the time of form validation, harmful sequences are allowed to wreak havoc unabated, allowing to bypass input validation methods normally used to sanitize unwanted input types. It opens up the ability for SQL and PHP object injection attacks within Magento, which can add unwanted database entries or enable remote code execution.
Some parts of added code in official patches (MDVA-43395) that lead us to PoC:
From CVE-2022-24086 patch:
```php
$pattern = '/{{.*?}}/';
do {
$result = preg_replace($pattern, '', (string)$result);
} while (preg_match($pattern, $result));
```
But even that fix is vulnerabile...
Emerged new CVE - CVE-2022-24087
So they fixed a fix with that:
```php
private function sanitizeValue($value)
{
return is_bool($value) ? $value : str_replace(['{', '}'], '', (string) $value);
}
```
```php
public function process(array $construction, Template $filter, array $templateVariables): string
{
$result = $this->resolve($construction, $filter, $templateVariables);
return str_replace(['{', '}'], '', (string) $result);
}
```
```php
public function blockDirective($construction)
{
$result = $this->resolveBlockDirective($construction);
return preg_replace("/{{/", "{{", $result);
}
```
```php
$result = $this->filterApplier->applyFromRawParam($construction['filters'], $result);
}
$result = str_replace(['{', '}'], '', (string) $result);
```
Now that is some appropriate sanitization.
## Point of injection
```html
<form class="form contact"
action="https://xxxxxx.com/contact/index/post/"
id="contact-form"
method="post"
data-hasrequired="* Required Fields"
data-mage-init='{"validation":{}}'>
<fieldset class="fieldset">
<legend class="legend"><span>Write <b>Us</b></span></legend><br />
<fieldset class="fieldset row">
<div class="fields col-md-6">
<div class="field name required">
<label class="label" for="name"><span>Name</span></label>
<div class="control">
<input name="name" id="name" title="Name" value="" class="input-text" type="text" data-validate="{required:true}"/>
</div>
</div>
<div class="field email required">
<label class="label" for="email"><span>Email</span></label>
<div class="control">
<input name="email" id="email" title="Email" value="" class="input-text" type="email" data-validate="{required:true, 'validate-email':true}"/>
</div>
</div>
<div class="field telephone">
<label class="label" for="telephone"><span>Phone Number</span></label>
<div class="control">
<input name="telephone" id="telephone" title="Phone Number" value="" class="input-text" type="text" />
</div>
</div>
</div>
<div class="fields col-md-6">
<div class="field comment required">
<label class="label" for="comment"><span>What’s on your mind?</span></label>
<div class="control">
<textarea name="comment" id="comment" title="What’s on your mind?" class="input-text" cols="5" rows="8" data-validate="{required:true}"></textarea>
</div>
</div>
</div>
</fieldset>
</fieldset>
<div class="actions-toolbar">
<div class="primary">
<input type="hidden" name="hideit" id="hideit" value="" />
<button type="submit" title="Submit" class="action submit primary">
<span>Submit</span>
</button>
</div>
</div>
</form>
```
## CVE-2022-24086 PoC and CVE-2022-24087 PoC
What we need to do is to craft some sophisticated payload to POST:
<img width="319" alt="1" src="https://user-images.githubusercontent.com/101953609/159141998-da760181-0cca-4c97-ad79-8b709295b956.png">
<img width="266" alt="2" src="https://user-images.githubusercontent.com/101953609/159142000-e846bca2-e545-4134-9980-05e635416e95.png">
<img width="222" alt="3" src="https://user-images.githubusercontent.com/101953609/159142001-0eee50bd-ca91-4a42-bd35-8184add8143d.png">
## CVE-2022-24086 exploit and CVE-2022-24087 exploit download
I don't want to leak exploit in a wild, so I put only 10 copies for sale: https://satoshidisk.com/pay/CF0iMI
It's a quite cheap price for such a tool. In txt file there are examples of payloads for uploading your php shell, getting critical info from CMS Magento and server.
## Disclamer
This project is intended for educational purposes only and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials.
## License
CC0