CVE-2016-4010

This exploit leverages an unauthenticated arbitrary unserialize vulnerability in Magento (CVE-2016-4010) to achieve arbitrary file write. It constructs a malicious serialized payload to trigger the vulnerability, potentially leading to remote code execution.

This is a detailed technical analysis of CVE-2016-4010, a Magento unauthenticated remote code execution vulnerability. It explains the root cause involving SOAP API deserialization flaws and object injection via the 'additional_information' field in the Payment class.

This repository contains a functional exploit for CVE-2016-4010, a PHP object injection vulnerability in Magento. The exploit leverages deserialization to achieve remote code execution by crafting a malicious payload that writes a PHP shell to the target system.

This Metasploit module exploits a PHP object injection vulnerability (CVE-2016-4010) in Magento 2.0.6 or prior, leveraging unserialize to achieve remote code execution via crafted payloads.