From a525e8c80a6678d3044376287253c4eca5a82430 Mon Sep 17 00:00:00 2001
From: meme-lord <17912559+meme-lord@users.noreply.github.com>
Date: Mon, 26 Jul 2021 18:10:23 +0100
Subject: [PATCH 1/3] Added Prestashop module fuzz template

---
 fuzzing/prestashop-module-fuzz.yaml      |  35 ++
 helpers/wordlists/prestashop-modules.txt | 639 +++++++++++++++++++++++
 2 files changed, 674 insertions(+)
 create mode 100644 fuzzing/prestashop-module-fuzz.yaml
 create mode 100644 helpers/wordlists/prestashop-modules.txt

diff --git a/fuzzing/prestashop-module-fuzz.yaml b/fuzzing/prestashop-module-fuzz.yaml
new file mode 100644
index 0000000000..4ea4775c8a
--- /dev/null
+++ b/fuzzing/prestashop-module-fuzz.yaml
@@ -0,0 +1,35 @@
+id: prestashop-module-fuzz
+info:
+  name: Prestashop Modules Fuzz
+  author: meme-lord
+  severity: info
+  tags: fuzz,prestashop
+
+requests:
+
+  - payloads:
+      path: helpers/wordlists/prestashop-modules.txt
+
+    attack: sniper
+    threads: 50
+
+    raw:
+      - |
+        GET /modules/{{path}}/config.xml HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Accept-Language: en-US,en;q=0.5
+        Referer: {{BaseURL}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<module>"
+
+    extractors:
+      - type: regex
+        part: body
+        group: 2
+        regex:
+          - '<version>(<!\[CDATA\[)?([0-9.]+)'
diff --git a/helpers/wordlists/prestashop-modules.txt b/helpers/wordlists/prestashop-modules.txt
new file mode 100644
index 0000000000..d0468a61d0
--- /dev/null
+++ b/helpers/wordlists/prestashop-modules.txt
@@ -0,0 +1,639 @@
+1attributewizardpro
+AddGoogleStructuredData
+AddGoogleTagManager
+Back-to-Top-Module-Prestashop-1.7
+CBAMP
+ChangeOrderIndex
+EuCookieSmart
+NetLicensing-PrestaShop
+PS-Get-Free-Shipping
+PS-Sendy
+PayPal
+PrestaShop-Module-Image-Rollover
+PrestaShop-module-Pays
+PrestaShop3D
+PrestaShop_1.6.0.9_Ukraine
+Prestashop-BBL-Bankwire
+Prestashop-ProductsScripsAndCss
+Prestashop-SCB-Bankwire
+Rasa-Integration-Project
+Rave-Payment-Gateway-for-Prestashop-1.7
+SMSIR-Prestashop
+Security-Lite
+SimpleCatalog
+TurkPos-Sanal-Pos-Uygulamasi-Prestashop-Modulu
+a2hosting
+a_crisp
+activecampaign
+adminlistproduct
+adpmicrodatos
+adscale
+adv_customer
+advancedeucompliance
+advancedexport
+advancedslider
+algolia
+alipay
+also
+amazzingfilter
+amzpayments
+angarbanners
+angarcmsinfo
+angarfacebook
+artisan-doc
+attributewizardpro
+attributewizardpro.OLD
+attributewizardpro_x
+attributwizardpro
+authorizeaim
+autoindex
+autoupgrade
+azleasyssl
+ba_prestashop_invoice
+backwardcompatibility
+bamegamenu
+bankwire
+becommerce
+blackholebots
+blockadvertising
+blockbanner
+blockbestsellers
+blockcart
+blockcategories
+blockcms
+blockcmsinfo
+blockcontact
+blockcontactinfos
+blockcounterz
+blockcurrencies
+blockcustomergroup
+blockcustomerprivacy
+blockfacebook
+blocklanguages
+blocklayered
+blocklink
+blockmanufacturer
+blockmyaccount
+blockmyaccountfooter
+blocknewproducts
+blocknewsletter
+blockpaymentlogo
+blockpermanentlinks
+blockreassurance
+blockreinsurance
+blockrss
+blocksearch
+blocksharefb
+blocksocial
+blockspecials
+blockstore
+blocksupplier
+blocktags
+blocktopmenu
+blockuserinfo
+blockviewed
+blockwishlist
+bluesnap
+bnclearcarts
+bonmarkup
+boxdropshipment
+boxtal-connect-prestashop
+bpostshm
+brainweboptionaldni
+brinkscheckout
+bvkpaymentfees
+carriercompare
+cartabandonmentpro
+cartabandonmentproOld
+cashondelivery
+checkyourdata
+cheque
+chronopost
+cleancarroussel
+cleverppc
+clickline
+clientlogin
+cloudswipe-prestashop
+codwfeeplus
+columnadverts
+columnadverts2
+compta-vente
+connect2pay-prestashop-module
+contactform
+convermax
+countdowntimerbar
+cronjobs
+crossselling
+customerfield
+customers
+cy_multibankwire
+dashactivity
+dashgoals
+dashproducts
+dashtrends
+dateofdelivery
+deactivateproducts
+demo-cqrs-hooks-usage-module
+demonstration
+desjardins
+doctrine
+dotpay
+dpdfrance
+dpdgroup
+dpdpoland
+easymarketing
+ebay
+ecopresto
+editorderpro
+editorial
+emailgenerator
+emarketing
+envoimoinscher
+erpillicopresta
+esat-prestashop
+etdoptimizer
+etranslation
+eurovatgenerator
+everblock
+everpsblog
+everpsclickandcollect
+everpscss
+everpscustomerconnect
+everpsorderoptions
+everpspopup
+example-modules
+example_module_mailtheme
+expresscache
+expressmailing
+faceshop
+famebit
+fasardixml
+favicon_notification
+favoriteproducts
+fbsample-addcolumninprodlist
+fbsample-advconfig
+fbsample-bocontroller
+fbsample-bologactivity
+fbsample-botraining
+fbsample-callbundle
+fbsample-console
+fbsample-extracustomerfield
+fbsample-jsaddvariable
+fbsample-order
+fbsample-orderconditions
+fbsample_legacyvsmodern
+fbsample_messageoftheday
+fedexcarrier
+feedaty
+feeder
+fianetfraud
+fianetsceau
+fieldbannerslider
+fieldbestsellers
+fieldblockcategories
+fieldblocksearch
+fieldblockwishlist
+fieldblogcategories
+fieldblogpopularposts
+fieldblogrecentposts
+fieldblogsearch
+fieldblogtags
+fieldbrandslider
+fieldcompare
+fieldcustomaddtabs
+fieldhtmlblock
+fieldmegamenu
+fieldonecateproductslider
+fieldpopupnewsletter
+fieldproductcates
+fieldproductcomments
+fieldsizechart
+fieldslideshow
+fieldspecialproduct
+fieldspecialproductdeal
+fieldstaticblocks
+fieldstaticfooter
+fieldtabcateslider
+fieldtabproductsisotope
+fieldtestimonials
+fieldthemecustomizer
+fieldvmegamenu
+firebaseauthenticator
+firstdata
+followup
+followup/mails/pt
+fontmanager
+fop_console
+fop_customcss
+frenet_prestashop
+gadwords
+gamification
+gamifications
+ganalytics
+gapi
+gapps
+gateway-prestashop-module
+globkurier
+gmseofields
+gointerpay
+googletag
+graphartichow
+graphgooglechart
+graphnvd3
+graphvisifire
+graphxmlswfcharts
+gridhtml
+gshoppingfeed
+gsitemap
+gwadvancedinvoice
+hipay
+hipaymobileivr
+holidaysmode
+homecategoriez
+homefeatured
+homepageadvertise
+homepageadvertise2
+homeslider
+idx_config
+ifthenpay_mbway
+importerosc
+iqitadditionaltabs
+iqitaddthisplugin
+iqitcompare
+iqitcontactpage
+iqitcookielaw
+iqitcountdown
+iqitcrossselling
+iqitdashboardnews
+iqitelementor
+iqitemailsubscriptionconf
+iqitextendedproduct
+iqitfreedeliverycount
+iqithtmlandbanners
+iqitlinksmanager
+iqitmegamenu
+iqitpopup
+iqitproductsnav
+iqitproducttags
+iqitsearch
+iqitsizecharts
+iqitsociallogin
+iqitthemeeditor
+iqitwishlist
+jbx_menu
+jk_opengraph
+jph_mymodule
+jro_homepageadvertise
+jsonws
+jxcompareproduct
+jxwishlist
+kbmarketplace
+kiala
+kialasmall
+klikandpay
+komfortkasse-prestashop
+kuantokusta
+labodata-prestashop
+layerslider
+lendingclub
+lgcomments
+lgfreeshippingzones
+lgseoredirect
+liveperson
+loyalty
+loyaltylion
+mailalerts
+mailjet
+masseditproduct
+mautic-prestashop
+mcps_popup
+mediafinanz
+mercadopagobr
+merchantware
+migrationpro
+mobfirst
+modules
+moloni
+mondialrelay
+monetivo-prestashop
+ms_category_color
+ms_products_override
+multibanco
+my_first_module_for_presta
+myhreflang
+netreviews
+newsletter
+newsletterpopupli
+nimblepayment
+nosto-prestashop
+nostotagging
+nqgatewayneteven
+nvn_export_orders
+odexportproducts
+ogone
+olark
+onboarding
+oneandonehosting
+only18plus
+openfactura-prestashop
+openpayprestashop
+orderfees_shipping
+orderfiles
+oscmigrationpro
+ovhhosting
+packlinkpro
+pagesnotfound
+pagseguro
+paymentexample
+paypal
+paypalmx
+paypalusa
+payplug
+paysera
+payulatam
+peinau-plugin-prestashop
+pgc-prestashop
+ph_blog_column_custom
+ph_relatedposts
+ph_simpleblog
+phfbchat
+phpist_github
+phpistcustomerregistrationblocker
+pigmbhpaymill
+pixelcrush-prestashop
+pixelfeed
+pk_flexmenu
+pk_vertflexmenu
+plugin-prestashop-1.6.x
+plugin-prestashop-1.7.x
+posbestsellers
+poscountdown
+posfeaturedproducts
+posfeatureproduct
+posfraction
+poslistcategories
+poslistcategory
+poslistcategoryproducts
+poslogo
+posmegamenu
+posmodeproduct
+posnewproducts
+posproductcates
+posrotatorimg
+posscroll
+possearchcategories
+posslideshow
+posslideshows
+posspecialproduct
+posspecialproducts
+posspecialsproducts
+posstaticblocks
+posstaticfooter
+postabcateslider
+postabproduct
+postabproductslider
+postcodenl
+postestimonials
+posthemeoptions
+posvegamenu
+powatag
+ppb
+prestacollege
+prestafraud
+prestahop-module
+prestaliexpress
+prestapay
+prestapopup
+prestasex
+prestashippingeasy
+prestashop
+prestashop-1.6
+prestashop-1.6.1.6
+prestashop-1.7
+prestashop-auto-exploit
+prestashop-clean-urls
+prestashop-dashcalendar
+prestashop-datalayer-tracking
+prestashop-dotfiles
+prestashop-ee
+prestashop-exportorders
+prestashop-homeyoutube
+prestashop-intergration
+prestashop-localeswitcher
+prestashop-module
+prestashop-multishopselector
+prestashop-payment-integration-novalnet
+prestashop-paymentrestrictionsip
+prestashop-payrexx-gateway
+prestashop-plugin
+prestashop-pod-payment
+prestashop-pod-sso
+prestashop-seo-tk
+prestashop-shopping-cart-message
+prestashop-souin
+prestashop-trovaprezzi
+prestashop-youtube-module
+prestashop17
+prestasms
+prestastats
+pricealert
+pricerounding
+produck-prestashop-module
+productcomments
+productcover
+productfinder16
+productpageadverts
+productpaymentlogos
+productscategory
+productsticker
+producttooltip
+protectedshops
+przelewy24
+ps-training
+ps-yme
+ps_WhatsappButton
+ps_accounts
+ps_advertising
+ps_banner
+ps_bestsellers
+ps_brandlist
+ps_buybuttonlite
+ps_carriercomparison
+ps_cashondelivery
+ps_categoryproducts
+ps_categorytree
+ps_checkout
+ps_checkpayment
+ps_contactinfo
+ps_crossselling
+ps_currencyselector
+ps_customeraccountlinks
+ps_customersignin
+ps_customtext
+ps_dataprivacy
+ps_emailalerts
+ps_emailgenerator
+ps_emailsmanager
+ps_emailsubscription
+ps_eventbus
+ps_facebook
+ps_facetedsearch
+ps_faviconnotificationbo
+ps_featuredproducts
+ps_feeder
+ps_googleanalytics
+ps_imageslider
+ps_languageselector
+ps_legalcompliance
+ps_linklist
+ps_livetranslation
+ps_mainmenu
+ps_mbo
+ps_metrics
+ps_native
+ps_newproducts
+ps_pagaqui
+ps_productinfo
+ps_quality_checklist_opquast
+ps_qualityassurance
+ps_reminder
+ps_rssfeed
+ps_searchbar
+ps_searchbarjqauto
+ps_sharebuttons
+ps_shoppingcart
+ps_socialfollow
+ps_specials
+ps_supplierlist
+ps_test
+ps_themecusto
+ps_viewedproduct
+ps_wirepayment
+psaddonsconnect
+pscartabandonmentpro
+pscleaner
+psgdpr
+psgiftcards
+psograph
+psphipay
+pspixel
+psrichsnippets
+pssupport
+rc_pganalytics
+realexredirect
+recaptcha
+referralprogram
+referralprogram/mails/pt
+reforestaction
+rem42_webservices
+remarkety
+revsliderprestashop
+revws
+safeshops
+sakgiok_latinurls
+sbe-challenge-phase4
+scamstop
+sd_eicmslinks
+securitypatch
+sekeywords
+sellstrom
+sendinblue
+sendtoafriend
+sensbitdhl
+sensbitinpost
+sensbitpaczkawruchu
+seoexpert
+seur
+sfkhreflang
+shiptomyid
+shiptopay
+shopgate
+shopimporter
+shoppingfluxexport
+simplerecaptcha
+simpleslideshow
+simplifycommerce
+sitemappro
+skebby
+skrill
+smartblog
+smartblogaddthisbutton
+smartbloghomelatestnews
+smprestaspeed
+smseourl
+social-login-prestashop
+sociallikes
+socialsharing
+socolissimo
+sofortbanking
+solrsearch
+soopabanners
+soopamobile
+stampsdotcom
+statsbestcategories
+statsbestcustomers
+statsbestmanufacturers
+statsbestproducts
+statsbestsuppliers
+statsbestvouchers
+statscarrier
+statscatalog
+statscheckup
+statsdata
+statsequipment
+statsforecast
+statsgeolocation
+statslive
+statsnewsletter
+statsorigin
+statspersonalinfos
+statsproduct
+statsprofitmargin
+statsregistrations
+statssales
+statssearch
+statsstock
+statsvisits
+stickngo
+storecommander
+stripe_official
+super-model
+tagmanager
+tawkto
+tdpsthemeoptionpanel
+text_simple
+textmaster
+themeconfigurator
+themeinstallator
+thirtybees-instamojo
+tinkoffcredit1.6
+tntcarrier
+trackingfront
+training
+translatools
+trustedshops
+twenga
+twengabid
+twengafeed
+upscarrier
+uspbar
+uspscarrier
+vatnumber
+videostab
+vtermslideshow
+vtermslidesshow
+vtpayment
+watermark
+wdoptionpanel
+welcome
+wg24themeadministration
+whatsapp
+whyloginascustomer
+xipblog
+xipblogdisplayposts
+yotpo
+yousticeresolutionsystem
+youtube_video
+zeleriscarrier
+zivosite
+zopimfree
\ No newline at end of file

From 3c9b6e955c30ad3ae87fa53125ea9dd8add294b4 Mon Sep 17 00:00:00 2001
From: sandeep <sandeep@projectdiscovery.io>
Date: Wed, 4 Aug 2021 21:55:59 +0530
Subject: [PATCH 2/3] Additional matchers

---
 fuzzing/prestashop-module-fuzz.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fuzzing/prestashop-module-fuzz.yaml b/fuzzing/prestashop-module-fuzz.yaml
index 4ea4775c8a..f0af5c7704 100644
--- a/fuzzing/prestashop-module-fuzz.yaml
+++ b/fuzzing/prestashop-module-fuzz.yaml
@@ -26,6 +26,14 @@ requests:
       - type: word
         words:
           - "<module>"
+          - "<name>"
+          - "<displayName>"
+          - "</module>"
+        condition: and
+
+      - type: status
+        status:
+          - 200
 
     extractors:
       - type: regex

From d50fc14b747e96acb0ef364808e5c78244f22019 Mon Sep 17 00:00:00 2001
From: sandeep <sandeep@projectdiscovery.io>
Date: Wed, 4 Aug 2021 21:58:54 +0530
Subject: [PATCH 3/3] Update prestashop-module-fuzz.yaml

---
 fuzzing/prestashop-module-fuzz.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fuzzing/prestashop-module-fuzz.yaml b/fuzzing/prestashop-module-fuzz.yaml
index f0af5c7704..434b666a00 100644
--- a/fuzzing/prestashop-module-fuzz.yaml
+++ b/fuzzing/prestashop-module-fuzz.yaml
@@ -1,6 +1,6 @@
 id: prestashop-module-fuzz
 info:
-  name: Prestashop Modules Fuzz
+  name: Prestashop Modules Enumeration
   author: meme-lord
   severity: info
   tags: fuzz,prestashop
@@ -28,6 +28,7 @@ requests:
           - "<module>"
           - "<name>"
           - "<displayName>"
+          - "<is_configurable>"
           - "</module>"
         condition: and