Categories
Magento Security

How to Investigate vulnerabilities of a Magento Website (Greyhat hacking)

It is simple to find vulnerabilities and extract information for a magento instance / site. The developers are usually caught up in feature development instead of maintaining and securing the server. Many times the developers take on the role of system administrators and problems are only picked up after it is too late.

Finding a Target

There are a few ways to do this but the main thing is the store needs to be magento. So I advise installing Wappalyser which will tell you whether the site you are currently on is Magento.

Another way is browsing forums and q/a places for people encountering problems with magento where they actually just give the URL of the production site.

Sometimes just going to popular ecommerce stores and watching the wappalyser plugin can help isolate targets.

Sometimes people just post public gists of vulnerable sites like this list of Magento vulnerable sites or 5900 sites found to be skimming payment info

Scan the Site

There is a nice tool available which will give you info about the site, possible vulnerable extensions it has installed and all a list of locations that are not hidden from the public. This is the tool you would least expect to work but it is in fact the best tool to use. You will be surprised how many installations allow public users to view things they shouldn’t.

The tool is called Magescan.

Run it with php magescan.phar scan:all http://example.com

This will give you results like:


 Magento Information  

+-----------+------------------+
| Parameter | Value            |
+-----------+------------------+
| Edition   | Community        |
| Version   | 1.9.2.1, 1.9.2.2 |
+-----------+------------------+

  Installed Modules  

No detectable modules were found

  Catalog Information  

+------------+-------+
| Type       | Count |
+------------+-------+
| Categories | 14    |
| Products   | 1146  |
+------------+-------+

  Patches  

+------------+---------+
| Name       | Status  |
+------------+---------+
| SUPEE-5344 | Unknown |
| SUPEE-5994 | Unknown |
| SUPEE-6285 | Unknown |
| SUPEE-6482 | Unknown |
| SUPEE-6788 | Unknown |
| SUPEE-7405 | Unknown |
| SUPEE-8788 | Unknown |
+------------+---------+

  Sitemap  

Sitemap is not declared in robots.txt
Sitemap is accessible: http://www.example.com/sitemap.xml

  Server Technology  

+--------------+-------------------------+
| Key          | Value                   |
+--------------+-------------------------+
| Server       | Apache                  |
| X-Powered-By | PHP/5.6.29-1~dotdeb+7.1 |
+--------------+-------------------------+

  Unreachable Path Check  

+----------------------------------------------+---------------+--------+
| Path                                         | Response Code | Status |
+----------------------------------------------+---------------+--------+
| .bzr/                                        | 404           | Pass   |
| .cvs/                                        | 404           | Pass   |
| .git/                                        | 404           | Pass   |
| .git/config                                  | 404           | Pass   |
| .git/refs/                                   | 404           | Pass   |
| .gitignore                                   | 404           | Pass   |
| .hg/                                         | 404           | Pass   |
| .idea                                        | 404           | Pass   |
| .svn/                                        | 404           | Pass   |
| .svn/entries                                 | 404           | Pass   |
| admin/                                       | 200           | Fail   |
| admin123/                                    | 404           | Pass   |
| adminer.php                                  | 404           | Pass   |
| administrator/                               | 404           | Pass   |
| adminpanel/                                  | 404           | Pass   |
| aittmp/index.php                             | 404           | Pass   |
| app/etc/enterprise.xml                       | 403           | Pass   |
| app/etc/local.xml                            | 403           | Pass   |
| backend/                                     | 404           | Pass   |
| backoffice/                                  | 404           | Pass   |
| beheer/                                      | 404           | Pass   |
| capistrano/config/deploy.rb                  | 404           | Pass   |
| chive                                        | 404           | Pass   |
| composer.json                                | 200           | Fail   |
| composer.lock                                | 404           | Pass   |
| config/deploy.rb                             | 404           | Pass   |
| control/                                     | 404           | Pass   |
| dev/tests/functional/etc/config.xml          | 200           | Fail   |
| downloader/index.php                         | 200           | Fail   |
| index.php/rss/order/NEW/new                  | 401           | Pass   |
| info.php                                     | 200           | Fail   |
| mageaudit.php                                | 404           | Pass   |
| magmi/                                       | 404           | Pass   |
| magmi/conf/magmi.ini                         | 404           | Pass   |
| magmi/web/magmi.php                          | 404           | Pass   |
| manage/                                      | 404           | Pass   |
| management/                                  | 404           | Pass   |
| manager/                                     | 404           | Pass   |
| modman                                       | 200           | Fail   |
| p.php                                        | 404           | Pass   |
| panel/                                       | 404           | Pass   |
| phpinfo.php                                  | 200           | Fail   |
| phpmyadmin                                   | 404           | Pass   |
| README.md                                    | 200           | Fail   |
| README.txt                                   | 404           | Pass   |
| shell/                                       | 403           | Pass   |
| shopadmin/                                   | 404           | Pass   |
| site_admin/                                  | 404           | Pass   |
| var/export/                                  | 403           | Pass   |
| var/export/export_all_products.csv           | 403           | Pass   |
| var/export/export_customers.csv              | 403           | Pass   |
| var/export/export_product_stocks.csv         | 403           | Pass   |
| var/log/                                     | 403           | Pass   |
| var/log/exception.log                        | 403           | Pass   |
| var/log/payment_authnetcim.log               | 403           | Pass   |
| var/log/payment_authorizenet.log             | 403           | Pass   |
| var/log/payment_authorizenet_directpost.log  | 403           | Pass   |
| var/log/payment_cybersource_soap.log         | 403           | Pass   |
| var/log/payment_ogone.log                    | 403           | Pass   |
| var/log/payment_payflow_advanced.log         | 403           | Pass   |
| var/log/payment_payflow_link.log             | 403           | Pass   |
| var/log/payment_paypal_billing_agreement.log | 403           | Pass   |
| var/log/payment_paypal_direct.log            | 403           | Pass   |
| var/log/payment_paypal_express.log           | 403           | Pass   |
| var/log/payment_paypal_standard.log          | 403           | Pass   |
| var/log/payment_paypaluk_express.log         | 403           | Pass   |
| var/log/payment_pbridge.log                  | 403           | Pass   |
| var/log/payment_verisign.log                 | 403           | Pass   |
| var/log/system.log                           | 403           | Pass   |
| var/report/                                  | 403           | Pass   |
+----------------------------------------------+---------------+--------+

So we get some pretty juicy information here. Often the Unreachable Path Check fails, give the best results.

Just go to those locations check it out you might get a nice readme.md or some db credentials.

There are also some other files you could look out for, like this Simple PHP file manager called file_manager.php. Some developers just don’t care and commit this file in the root of a magento site. So anyone accessing the file can actually delete every file on a production server.

Next Steps

The information has now been gathered the next step is up to you…