Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-41651 PoC — PrestaShop 安全漏洞

Source
https://github.com/Fckroun/CVE-2024-41651
Associated Vulnerability
Title:PrestaShop 安全漏洞 (CVE-2024-41651)
Description:An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).
Description
CVE-2024-41651
Readme
# Blind SSRF to RCE Exploit - PrestaShop 8.1.7

This document outlines a Blind SSRF to RCE exploit on a fresh PrestaShop 8.1.7 docker installation.

## Prerequisites

- Ensure you have at least an outdated module installed, for example:
  - `ps_facetedsearch`
- Download the original package:
  - [Download ps_facetedsearch v3.16.1](https://api.prestashop-project.org/assets/modules/ps_facetedsearch/v3.16.1/ps_facetedsearch.zip)

## Steps to Reproduce

1. **Prepare the Malicious File:**
   - Download and unzip the original package.
   - Choose a suitable file and function to inject the malicious command.
   - Payload example: Create a file in the root directory (e.g., `pwn3ed_bayram.txt`). Note: Shells could also be popped.
    ![Payload](./1.png)
   - Repack the module and Host it.
    ![Repack](./2.png)
    ![Repack](./3.png)

2. **Upgrade the Module:**
   - Open the module manager in PrestaShop.
    ![Repack](./4.png)
    ![Repack](./5.png)

3. **Intercept and Modify the Request:**
   - Intercept the request
     ![Repack](./6.png)
   - Change the `source` parameter to point to the server hosting your malicious zip file.
     ![Repack](./7.png)
     ![Repack](./8.png)
     ![Repack](./9.png)

## Expected Results

- **Before Exploit:**
  - Filesystem as expected with no additional files.
    ![Repack](./10.png)

- **After Exploit:**
  - The file `pwn3ed_bayram.txt` is successfully created in the root directory.
    ![Repack](./11.png)

## Additional Notes

- Reverse shells could be obtained using similar methods.
File Snapshot

 [4.0K]  /data/pocs/f02cbabbf4480802e2fc41d9d6c3412917018c8e
├── [169K]  10.png
├── [149K]  11.png
├── [122K]  1.png
├── [ 16K]  2.png
├── [ 34K]  3.png
├── [112K]  4.png
├── [ 88K]  5.png
├── [ 29K]  6.png
├── [125K]  7.png
├── [196K]  8.png
├── [ 41K]  9.png
└── [1.5K]  README.md

0 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →