来源

关联漏洞

介绍

# Magento Shoplift Exploit (SUPEE-5344) - CVE-2015-1397

## Overview

This script exploits the **CVE-2015-1397** vulnerability in Magento, commonly referred to as the Magento Shoplift exploit. It allows an attacker to create a new admin user in the Magento database by injecting SQL payloads.

Originally written in Python by **Manish Kishan Tanwar (error1046)**, this version has been converted to **Bash** with user-friendly input prompts for credentials by **Divine Clown (0xDTC)**.

---

## Features

- **Credential Prompt**: Dynamically prompts for the target URL, admin username, and password.
- **Error Handling**: Provides detailed error messages for invalid inputs, failed network requests, and unexpected server responses.
- **Base64 Encoding**: Encodes payloads dynamically for Magento's processing.
- **Simplified User Experience**: Removes the need for manual payload encoding or static inputs.

---

## Prerequisites

- **Target**: The Magento installation must be vulnerable to CVE-2015-1397.
- **Environment**: Linux with `bash`, `curl`, and `base64` utilities installed.

---

## Usage

1. Clone the repository or copy the script to your local system.
2. Make the script executable:
   ```bash
   chmod +x CVE-2015-1397
   ```
3. Run the script:
   ```bash
   ./CVE-2015-1397
   ```
4. Follow the prompts:
   - Enter the **target URL** (e.g., `http://target.com/`).
   - Enter the **new admin username**.
   - Enter the **new admin password**.
5. If successful, the script will output the newly created admin credentials.

---

## Example

```bash
┌──(kali㉿kali)-[~/example]
└─$ ./CVE-2015-1397
Enter the target URL (e.g., http://target.com/): http://example.com/
Enter the new admin username: admin123
Enter the new admin password: pass123
[*] Sending payload to http://example.com/admin/Cms_Wysiwyg/directive/index/
[+] Exploit successful. Admin account created: admin123 / pass123
```

---

## How It Works

1. **Input Validation**:
   - Ensures the provided URL starts with `http://` or `https://`.
   - Validates that the username and password are not empty.
   
2. **Payload Construction**:
   - Constructs a Base64-encoded `___directive` parameter containing an SQL query to insert a new admin user.
   - Encodes the SQL query dynamically.

3. **Exploitation**:
   - Sends a `POST` request to the vulnerable endpoint using `curl`.
   - Uses Magento's internal directive parsing to execute the SQL payload.

4. **Response Handling**:
   - Checks the server's response for indicators of success or failure.
   - Handles common errors like invalid URL, empty response, or network issues.

---

## Error Handling

- **Invalid URL**: Ensures the target URL starts with `http://` or `https://`.
- **Empty Inputs**: Validates that neither username nor password is empty.
- **Network Issues**: Reports if the connection to the target fails.
- **Empty Server Response**: Alerts the user if the server does not return a response.
- **Unsuccessful Exploit**: Displays the server's response for debugging purposes.

---

## Legal Disclaimer

This script is intended for **educational purposes** only. Unauthorized use against systems you do not own or have permission to test is illegal and unethical. The author and contributors are not responsible for any misuse of this tool.

---

## Acknowledgments

Special thanks to:
- Original Python script author: Manish Kishan Tanwar (error1046)
- Security researchers and community contributors for documenting CVE-2015-1397.

--- 

## References

- [CVE-2015-1397 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1397)
- [Checkpoint Research Blog](https://blog.checkpoint.com/)
- [Magento Vulnerability Documentation](https://magento.com/security)

文件快照

 [4.0K]  /data/pocs/fdc72a04348f66ba0b1d0571e0493f10c7ba1722
├── [5.4K]  CVE-2015-1397
└── [3.6K]  README.md

0 directories, 2 files

备注