It is simple to find vulnerabilities and extract information for a magento instance / site. The developers are usually caught up in feature development instead of maintaining and securing the server. Many times the developers take on the role of system administrators and problems are only picked up after it is too late.
Finding a Target
There are a few ways to do this but the main thing is the store needs to be magento. So I advise installing Wappalyser which will tell you whether the site you are currently on is Magento.
Another way is browsing forums and q/a places for people encountering problems with magento where they actually just give the URL of the production site.
Sometimes just going to popular ecommerce stores and watching the wappalyser plugin can help isolate targets.
Sometimes people just post public gists of vulnerable sites like this list of Magento vulnerable sites or 5900 sites found to be skimming payment info
Scan the Site
There is a nice tool available which will give you info about the site, possible vulnerable extensions it has installed and all a list of locations that are not hidden from the public. This is the tool you would least expect to work but it is in fact the best tool to use. You will be surprised how many installations allow public users to view things they shouldn’t.
The tool is called Magescan.
Run it with php magescan.phar scan:all http://example.com
This will give you results like:
Magento Information
+-----------+------------------+
| Parameter | Value |
+-----------+------------------+
| Edition | Community |
| Version | 1.9.2.1, 1.9.2.2 |
+-----------+------------------+
Installed Modules
No detectable modules were found
Catalog Information
+------------+-------+
| Type | Count |
+------------+-------+
| Categories | 14 |
| Products | 1146 |
+------------+-------+
Patches
+------------+---------+
| Name | Status |
+------------+---------+
| SUPEE-5344 | Unknown |
| SUPEE-5994 | Unknown |
| SUPEE-6285 | Unknown |
| SUPEE-6482 | Unknown |
| SUPEE-6788 | Unknown |
| SUPEE-7405 | Unknown |
| SUPEE-8788 | Unknown |
+------------+---------+
Sitemap
Sitemap is not declared in robots.txt
Sitemap is accessible: http://www.example.com/sitemap.xml
Server Technology
+--------------+-------------------------+
| Key | Value |
+--------------+-------------------------+
| Server | Apache |
| X-Powered-By | PHP/5.6.29-1~dotdeb+7.1 |
+--------------+-------------------------+
Unreachable Path Check
+----------------------------------------------+---------------+--------+
| Path | Response Code | Status |
+----------------------------------------------+---------------+--------+
| .bzr/ | 404 | Pass |
| .cvs/ | 404 | Pass |
| .git/ | 404 | Pass |
| .git/config | 404 | Pass |
| .git/refs/ | 404 | Pass |
| .gitignore | 404 | Pass |
| .hg/ | 404 | Pass |
| .idea | 404 | Pass |
| .svn/ | 404 | Pass |
| .svn/entries | 404 | Pass |
| admin/ | 200 | Fail |
| admin123/ | 404 | Pass |
| adminer.php | 404 | Pass |
| administrator/ | 404 | Pass |
| adminpanel/ | 404 | Pass |
| aittmp/index.php | 404 | Pass |
| app/etc/enterprise.xml | 403 | Pass |
| app/etc/local.xml | 403 | Pass |
| backend/ | 404 | Pass |
| backoffice/ | 404 | Pass |
| beheer/ | 404 | Pass |
| capistrano/config/deploy.rb | 404 | Pass |
| chive | 404 | Pass |
| composer.json | 200 | Fail |
| composer.lock | 404 | Pass |
| config/deploy.rb | 404 | Pass |
| control/ | 404 | Pass |
| dev/tests/functional/etc/config.xml | 200 | Fail |
| downloader/index.php | 200 | Fail |
| index.php/rss/order/NEW/new | 401 | Pass |
| info.php | 200 | Fail |
| mageaudit.php | 404 | Pass |
| magmi/ | 404 | Pass |
| magmi/conf/magmi.ini | 404 | Pass |
| magmi/web/magmi.php | 404 | Pass |
| manage/ | 404 | Pass |
| management/ | 404 | Pass |
| manager/ | 404 | Pass |
| modman | 200 | Fail |
| p.php | 404 | Pass |
| panel/ | 404 | Pass |
| phpinfo.php | 200 | Fail |
| phpmyadmin | 404 | Pass |
| README.md | 200 | Fail |
| README.txt | 404 | Pass |
| shell/ | 403 | Pass |
| shopadmin/ | 404 | Pass |
| site_admin/ | 404 | Pass |
| var/export/ | 403 | Pass |
| var/export/export_all_products.csv | 403 | Pass |
| var/export/export_customers.csv | 403 | Pass |
| var/export/export_product_stocks.csv | 403 | Pass |
| var/log/ | 403 | Pass |
| var/log/exception.log | 403 | Pass |
| var/log/payment_authnetcim.log | 403 | Pass |
| var/log/payment_authorizenet.log | 403 | Pass |
| var/log/payment_authorizenet_directpost.log | 403 | Pass |
| var/log/payment_cybersource_soap.log | 403 | Pass |
| var/log/payment_ogone.log | 403 | Pass |
| var/log/payment_payflow_advanced.log | 403 | Pass |
| var/log/payment_payflow_link.log | 403 | Pass |
| var/log/payment_paypal_billing_agreement.log | 403 | Pass |
| var/log/payment_paypal_direct.log | 403 | Pass |
| var/log/payment_paypal_express.log | 403 | Pass |
| var/log/payment_paypal_standard.log | 403 | Pass |
| var/log/payment_paypaluk_express.log | 403 | Pass |
| var/log/payment_pbridge.log | 403 | Pass |
| var/log/payment_verisign.log | 403 | Pass |
| var/log/system.log | 403 | Pass |
| var/report/ | 403 | Pass |
+----------------------------------------------+---------------+--------+
So we get some pretty juicy information here. Often the Unreachable Path Check fails, give the best results.
Just go to those locations check it out you might get a nice readme.md or some db credentials.
There are also some other files you could look out for, like this Simple PHP file manager called file_manager.php. Some developers just don’t care and commit this file in the root of a magento site. So anyone accessing the file can actually delete every file on a production server.
Next Steps
The information has now been gathered the next step is up to you…