SessionReaper in Adobe Commerce / Magento Open Source

This repository is a real exploit lab and PoC for CVE-2025-54236 ('SessionReaper'), targeting Magento Open Source and Adobe Commerce up to 2.4.7. The main exploit is `SessionReaper-CVE-2025-54236/session_reaper.py`, a standalone Python script that automates an unauthenticated deserialization-to-RCE chain. It generates a serialized PHP gadget with phpggc (`Guzzle/FW1`), stores it in a fake `sess_<id>` file, uploads that file through `/customer/address_file/upload`, abuses nested JSON deserialization in Magento's `ServiceInputProcessor` to override `session.save_path` to the upload directory, and then triggers PHP session loading with a crafted `PHPSESSID`. Successful exploitation causes PHP to deserialize the attacker-controlled session content and write a PHP payload to disk, typically under `pub/errors/`, yielding a reachable webshell. Repository structure is split into three logical parts: (1) the exploit PoC under `SessionReaper-CVE-2025-54236/`, including `session_reaper.py` and a minimal default `payload.php`; (2) reusable payload artifacts under `payloads/`, including a command webshell and a prebuilt serialized session payload; and (3) a full Dockerized vulnerable Magento lab under `lab-magento/`, with Dockerfile, compose stack, nginx/PHP configuration, and an installation script that intentionally enables file-based sessions and guest checkout. The lab is clearly designed to reproduce the vulnerability safely and consistently. Exploit capabilities are substantial: unauthenticated remote exploitation, multiple deserialization trigger methods (`address`, `checkmo`, `order` per the documentation), optional use of a real guest cart/SKU flow, automatic phpggc discovery or Docker fallback, upload of malicious session files, session path redirection, and arbitrary PHP file write leading to command execution. The included payloads demonstrate both benign validation (`phpinfo`) and active post-exploitation (`system($_GET['cmd'])`). This is not a scanner or detector; it is an operational PoC with a basic but functional payload chain.

This repository contains a single Python exploit script, blabla.py, plus a README. The script is a multithreaded mass-exploitation tool targeting a claimed Magento file upload vulnerability identified in the README as CVE-2025-54236. Its purpose is not merely detection: it attempts to upload a text file to each supplied target, verifies whether the file becomes publicly accessible, and then reports successful targets. Operational flow: the script reads hosts from a user-supplied list file, normalizes them to HTTP(S) URLs, and processes them with 10 worker threads. For each host, it generates a random form_key, sends a multipart POST request to /customer/address_file/upload, and places the payload in the custom_attributes[country_id] field as dog.txt with text/plain content. If the server returns JSON containing a file path, the script then probes likely public media locations (/media/customer_address, /pub/media/customer_address, /media plus returned file path) to confirm the uploaded file is reachable. The verification logic is more than a simple status-code check: it first fetches a random nonexistent path to establish baseline error-page content, then compares retrieved content against common error keywords and a similarity threshold to avoid false positives caused by custom 404 pages. If the uploaded content is confirmed, the script records the host as vulnerable and prints the accessible media URL. A notable secondary capability is automatic submission of successful URLs to Zone-H via http://www.zone-h.org/notify/single using form fields defacer, domain1, hackmode, and reason. This indicates the tool is intended for website defacement reporting rather than benign validation alone. Overall, the repository is small and straightforward: one README and one Python 2-style script using requests, threading, Queue, and difflib. The exploit is operational, supports bulk target processing, includes basic validation and error handling, and carries a hardcoded defacement-style payload rather than a customizable shell or code execution stage.

This repository is a small, focused exploit PoC for CVE-2025-54236 ('SessionReaper'), targeting Magento 2 / Adobe Commerce. It contains three files: a detailed README, a Python exploit driver (session_reaper.py), and a minimal PHP payload (payload.php). The Python script is the main entry point and operational exploit. It automates the full attack chain: resolving phpggc locally or via Docker, validating/loading a local PHP payload, optionally authenticating or operating as guest, optionally verifying a SKU and creating a guest cart, generating a malicious serialized session object with the Guzzle/FW1 gadget chain, uploading that fake session file through /customer/address_file/upload, triggering one of three deserialization vectors (address, checkmo, or order), and finally directing the operator to check the dropped PHP file at /errors/404.php. The included payload is benign-looking test code (phpinfo), but the mechanism supports arbitrary PHP content. The exploit is clearly intended for remote unauthenticated web exploitation against vulnerable Magento instances using file-based sessions, and it provides real exploitation capability rather than mere detection. The README documents the vulnerability, attack stages, prerequisites, and the three supported vectors, while the Python code implements the automation and dependency handling.

Repository contains a minimal PoC for CVE-2025-54236 targeting Magento/Adobe Commerce 2.4.x, demonstrating likely PHP object injection leading to RCE using a Monolog gadget (Monolog\Handler\ProcessHandler). Structure: - README.md: Step-by-step exploitation workflow: generate a serialized payload, upload it to a Magento customer address file upload endpoint, parse the JSON response to obtain a file-view URL, then request that URL to trigger execution. - generate_payload.php: Payload generator that defines a minimal ProcessHandler class in the Monolog\Handler namespace with private fields `command` (attacker-controlled) and `cwd` (fixed to /tmp), instantiates it with a supplied command, serializes the object, and prints the serialized string. Exploit capabilities: - Generates attacker-controlled PHP serialized object payload intended to be deserialized by the target. - Achieves arbitrary command execution (demonstrated with `touch /tmp/...`) when the uploaded payload is later accessed via the returned viewfile URL. Notable targeting details: - Example target endpoints in README: POST upload to `https://mivetshop.com.ar/customer/address_file/upload` with multipart field `custom_attributes[country_id]=@poc_session.txt` and a `form_key` cookie/field; trigger via returned `https://www.mivetshop.com.ar/customer_custom_attributes/address_file/viewfile/file/<base64-ish>/` URL. - The PoC is not a scanner; it is an exploit demonstration with a simple, user-supplied command payload generator.

This repository provides a working exploit for CVE-2025-54236, a critical unauthenticated remote code execution vulnerability in Adobe Commerce (Magento) via unsafe deserialization in the ServiceInputProcessor class. The exploit leverages the Magento REST API, specifically the /rest/V1/guest-carts and /rest/V1/guest-carts/{cart_id}/estimate-shipping-methods endpoints, to inject a malicious serialized PHP object (using either a Laminas or Monolog gadget chain) into the 'region' or 'extension_attributes' fields of the address object. The payload is generated using the included PHP script (generate_payload.php), which creates a serialized Monolog ProcessHandler object that executes arbitrary system commands. The main exploitation logic is implemented in session_reaper.py, which automates payload generation, cart creation, and payload delivery. The exploit.py script provides a simpler proof-of-concept using a hardcoded payload. The YAML file (CVE-2025-54236.ymal) describes a detection template for the vulnerability, suitable for automated scanners. The repository is operational and provides all necessary components for successful exploitation, assuming the target is vulnerable and accessible.

This repository contains a single Metasploit module (magento_sessionreaper.rb) that exploits CVE-2025-54236, a critical unauthenticated remote code execution vulnerability in Magento/Adobe Commerce 2.x. The exploit leverages improper nested deserialization and an unauthenticated file upload endpoint to achieve code execution. The attack chain involves uploading a malicious PHP session file via /customer/address_file/upload, then triggering deserialization and execution via the /rest/default/V1/guest-carts/{cart_id}/order endpoint. The module supports multiple payloads, including PHP Meterpreter and command shells for Unix/Linux and Windows. The code is mature, weaponized, and part of the Metasploit framework, making it easy to use and customize. The only file in the repository is the exploit module itself, written in Ruby, and it is fully operational for targeting unpatched Magento 2.x instances with file-based session storage.

This repository is an educational lab simulating the core vulnerability reported in CVE-2025-54236 ("SessionReaper"). The lab consists of a minimal PHP web application running in a Docker container. The main vulnerability is in 'public/api/service.php', which accepts POSTed JSON and unsafely trusts nested fields under 'payload', leading to a command injection sink via the 'cmd' field. The exploit ('exploit.sh') sends a crafted JSON payload to the API endpoint, triggering command execution and reading the flag from '/opt/flag.txt'. The flag is generated fresh on each container start by 'entrypoint.sh'. The repository includes setup files (Dockerfile, entrypoint.sh), the exploit script, the vulnerable PHP API, and a simple HTML index page. The main purpose is to provide a safe environment to practice exploiting nested JSON vulnerabilities and command injection, not to target real-world systems.