Web
Nmap discovered a web server running on the target port 80
Attempting to navigate the target web server on the port 80 got re-directed to a domain; swagshop.htb
I appended the domain information to the /etc/hosts file on Kali for local DNS resolution
Webroot
It’s an online shop powered by Magento CMS
wappalyzer identified technologies involved
A strange thing that I noticed is that the /index.php/ directory appears to be the web root
Because the admin panel is located at /index.php/admin, it’s pretty strange.
I tried logging in with weak/default credentials, none of them worked.
There are a ton of files and directories lying around as this is a CMS, none of them provided any valuable insight.
Then I started looking online for resources
MageScan
While I was looking to find a way to effectively enumerate the web application, I came across this tool online
The tool is designed specifically for web applications built on Magento.
┌──(kali㉿kali)-[~/archive/htb/labs/swagshop]
└─$ php magescan.phar scan:all http://swagshop.htb/index.php/
Scanning http://swagshop.htb/index.php/...
Magento Information
+-----------+-----------+
| Parameter | Value |
+-----------+-----------+
| Edition | Community |
| Version | 1.9 |
+-----------+-----------+
Installed Modules
No detectable modules were found
Catalog Information
+------------+---------+
| Type | Count |
+------------+---------+
| Categories | Unknown |
| Products | Unknown |
+------------+---------+
Patches
+------------+---------+
| Name | Status |
+------------+---------+
| SUPEE-5344 | Unknown |
| SUPEE-5994 | Unknown |
| SUPEE-6285 | Unknown |
| SUPEE-6482 | Unknown |
| SUPEE-6788 | Unknown |
| SUPEE-7405 | Unknown |
| SUPEE-8788 | Unknown |
+------------+---------+
Sitemap
Sitemap is not declared in robots.txt
Sitemap is not accessible: http://swagshop.htb/index.php/sitemap.xml
Server Technology
+--------+------------------------+
| Key | Value |
+--------+------------------------+
| Server | Apache/2.4.18 (Ubuntu) |
+--------+------------------------+
Unreachable Path Check
+----------------------------------------------+---------------+--------+
| Path | Response Code | Status |
+----------------------------------------------+---------------+--------+
| .bzr/ | 404 | Pass |
| .cvs/ | 404 | Pass |
| .git/ | 404 | Pass |
| .git/config | 404 | Pass |
| .git/refs/ | 404 | Pass |
| .gitignore | 404 | Pass |
| .hg/ | 404 | Pass |
| .idea | 404 | Pass |
| .svn/ | 404 | Pass |
| .svn/entries | 404 | Pass |
| admin/ | 404 | Pass |
| admin123/ | 404 | Pass |
| adminer.php | 404 | Pass |
| administrator/ | 404 | Pass |
| adminpanel/ | 404 | Pass |
| aittmp/index.php | 404 | Pass |
| app/etc/enterprise.xml | 404 | Pass |
| app/etc/local.xml | 200 | Fail |
| backend/ | 404 | Pass |
| backoffice/ | 404 | Pass |
| beheer/ | 404 | Pass |
| capistrano/config/deploy.rb | 404 | Pass |
| chive | 404 | Pass |
| composer.json | 404 | Pass |
| composer.lock | 404 | Pass |
| vendor/composer/installed.json | 404 | Pass |
| config/deploy.rb | 404 | Pass |
| control/ | 404 | Pass |
| dev/tests/functional/etc/config.xml | 404 | Pass |
| downloader/index.php | 404 | Pass |
| index.php/rss/order/NEW/new | 200 | Fail |
| info.php | 404 | Pass |
| mageaudit.php | 404 | Pass |
| magmi/ | 404 | Pass |
| magmi/conf/magmi.ini | 404 | Pass |
| magmi/web/magmi.php | 404 | Pass |
| Makefile | 404 | Pass |
| manage/ | 404 | Pass |
| management/ | 404 | Pass |
| manager/ | 404 | Pass |
| modman | 404 | Pass |
| p.php | 404 | Pass |
| panel/ | 404 | Pass |
| phpinfo.php | 404 | Pass |
| phpmyadmin | 404 | Pass |
| README.md | 404 | Pass |
| README.txt | 404 | Pass |
| shell/ | 200 | Fail |
| shopadmin/ | 404 | Pass |
| site_admin/ | 404 | Pass |
| var/export/ | 404 | Pass |
| var/export/export_all_products.csv | 404 | Pass |
| var/export/export_customers.csv | 404 | Pass |
| var/export/export_product_stocks.csv | 404 | Pass |
| var/log/ | 404 | Pass |
| var/log/exception.log | 404 | Pass |
| var/log/payment_authnetcim.log | 404 | Pass |
| var/log/payment_authorizenet.log | 404 | Pass |
| var/log/payment_authorizenet_directpost.log | 404 | Pass |
| var/log/payment_cybersource_soap.log | 404 | Pass |
| var/log/payment_ogone.log | 404 | Pass |
| var/log/payment_payflow_advanced.log | 404 | Pass |
| var/log/payment_payflow_link.log | 404 | Pass |
| var/log/payment_paypal_billing_agreement.log | 404 | Pass |
| var/log/payment_paypal_direct.log | 404 | Pass |
| var/log/payment_paypal_express.log | 404 | Pass |
| var/log/payment_paypal_standard.log | 404 | Pass |
| var/log/payment_paypaluk_express.log | 404 | Pass |
| var/log/payment_pbridge.log | 404 | Pass |
| var/log/payment_verisign.log | 404 | Pass |
| var/log/system.log | 404 | Pass |
| var/report/ | 404 | Pass |
+----------------------------------------------+---------------+--------+Running the PHP script reveals some key information.
The web application is Magento 1.9 Community Edition
There are a few critical files exposed to the public
app/etc/local.xmlshell/
/app/etc/local.xml
The /app/etc/local.xml file appear to contain a DB connection string, which has credential
root:fMVWh7bDHpgZkyfqQXreTjU9
It also shows that the DB name is swagshop and the backend uses MySQL4
I also tested for credential reuse, but it didn’t work.
/shell/
The /shell/ directory has 4 PHP files that I cannot read.
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/swagshop]
└─$ searchsploit magento
--------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------- ---------------------------------
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection | php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service | php/webapps/38651.txt
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cross-Si | php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email' Cr | php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting | php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File | php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution | php/webapps/37811.py
Magento eCommerce - Local File Disclosure | php/webapps/19793.txt
Magento eCommerce - Remote Code Execution | xml/webapps/37977.py
Magento eCommerce CE v2.3.5-p2 - Blind SQLi | php/webapps/50896.txt
Magento Server MAGMI Plugin - Multiple Vulnerabilities | php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion | php/webapps/35052.txt
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass | php/webapps/48135.php
--------------------------------------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No Results
It would appear that Magento 1.9 suffers from many vulnerabilities.
the entire list can be found here