POC详情: fdc72a04348f66ba0b1d0571e0493f10c7ba1722

来源
关联漏洞
标题: Magento Community Edition和Enterprise Edition SQL注入漏洞 (CVE-2015-1397)
描述:Magento是美国Magento公司的一套开源的PHP电子商务系统,它提供权限管理、搜索引擎和支付网关等功能。Magento Community Edition(CE)是一个社区版。Magento Enterprise Edition(EE)是一个企业版。 Magento CE 1.9.1.0版本和EE 1.14.1.0版本的Mage_Adminhtml_Block_Widget_Grid类中的‘getCsvFile’函数存在SQL注入漏洞。当程序设置‘popularity[from]’或‘popula
介绍
# Magento Shoplift Exploit (SUPEE-5344) - CVE-2015-1397

## Overview

This script exploits the **CVE-2015-1397** vulnerability in Magento, commonly referred to as the Magento Shoplift exploit. It allows an attacker to create a new admin user in the Magento database by injecting SQL payloads.

Originally written in Python by **Manish Kishan Tanwar (error1046)**, this version has been converted to **Bash** with user-friendly input prompts for credentials by **Divine Clown (0xDTC)**.

---

## Features

- **Credential Prompt**: Dynamically prompts for the target URL, admin username, and password.
- **Error Handling**: Provides detailed error messages for invalid inputs, failed network requests, and unexpected server responses.
- **Base64 Encoding**: Encodes payloads dynamically for Magento's processing.
- **Simplified User Experience**: Removes the need for manual payload encoding or static inputs.

---

## Prerequisites

- **Target**: The Magento installation must be vulnerable to CVE-2015-1397.
- **Environment**: Linux with `bash`, `curl`, and `base64` utilities installed.

---

## Usage

1. Clone the repository or copy the script to your local system.
2. Make the script executable:
   ```bash
   chmod +x CVE-2015-1397
   ```
3. Run the script:
   ```bash
   ./CVE-2015-1397
   ```
4. Follow the prompts:
   - Enter the **target URL** (e.g., `http://target.com/`).
   - Enter the **new admin username**.
   - Enter the **new admin password**.
5. If successful, the script will output the newly created admin credentials.

---

## Example

```bash
┌──(kali㉿kali)-[~/example]
└─$ ./CVE-2015-1397
Enter the target URL (e.g., http://target.com/): http://example.com/
Enter the new admin username: admin123
Enter the new admin password: pass123
[*] Sending payload to http://example.com/admin/Cms_Wysiwyg/directive/index/
[+] Exploit successful. Admin account created: admin123 / pass123
```

---

## How It Works

1. **Input Validation**:
   - Ensures the provided URL starts with `http://` or `https://`.
   - Validates that the username and password are not empty.
   
2. **Payload Construction**:
   - Constructs a Base64-encoded `___directive` parameter containing an SQL query to insert a new admin user.
   - Encodes the SQL query dynamically.

3. **Exploitation**:
   - Sends a `POST` request to the vulnerable endpoint using `curl`.
   - Uses Magento's internal directive parsing to execute the SQL payload.

4. **Response Handling**:
   - Checks the server's response for indicators of success or failure.
   - Handles common errors like invalid URL, empty response, or network issues.

---

## Error Handling

- **Invalid URL**: Ensures the target URL starts with `http://` or `https://`.
- **Empty Inputs**: Validates that neither username nor password is empty.
- **Network Issues**: Reports if the connection to the target fails.
- **Empty Server Response**: Alerts the user if the server does not return a response.
- **Unsuccessful Exploit**: Displays the server's response for debugging purposes.

---

## Legal Disclaimer

This script is intended for **educational purposes** only. Unauthorized use against systems you do not own or have permission to test is illegal and unethical. The author and contributors are not responsible for any misuse of this tool.

---

## Acknowledgments

Special thanks to:
- Original Python script author: Manish Kishan Tanwar (error1046)
- Security researchers and community contributors for documenting CVE-2015-1397.

--- 

## References

- [CVE-2015-1397 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1397)
- [Checkpoint Research Blog](https://blog.checkpoint.com/)
- [Magento Vulnerability Documentation](https://magento.com/security)
文件快照

[4.0K] /data/pocs/fdc72a04348f66ba0b1d0571e0493f10c7ba1722 ├── [5.4K] CVE-2015-1397 └── [3.6K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。