Monday, August 29, 2016

Magmi Magento Mass Importer PHP Injection

Sample PHP injection attempt on Magento Mass Importer from Friday 8/26

GET/mygarmoemagmi/plugins/plugin.php?uors=eval('echo 10000000000-192853746;');

It would appear the attacker knows about a parameter called uors that may execute raw php so he is displaying (echo) some text and if he sees that text in the http response then he knows the server is vulnerable.

Update: Another Magmi attack below

GET/magmi/web/download_file.php?file=../../app/etc/local.xml

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1 comment: