{"id":2803,"date":"2023-03-28T13:37:03","date_gmt":"2023-03-28T11:37:03","guid":{"rendered":"https:\/\/www.dsecbypass.com\/?p=2803"},"modified":"2024-02-07T10:18:22","modified_gmt":"2024-02-07T09:18:22","slug":"admin-prestashop-rce-a-la-wordpress","status":"publish","type":"post","link":"https:\/\/www.dsecbypass.com\/en\/admin-prestashop-rce-a-la-wordpress\/","title":{"rendered":"Admin PrestaShop RCE “\u00e0 la WordPress”"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”||88px|||” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2023\/03\/Prestashop-logo.png” alt=”Prestashop logo” title_text=”Prestashop logo” align=”center” _builder_version=”4.20.2″ _module_preset=”default” background_color=”RGBA(255,255,255,0)” width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

As pentesters, whenever we get admin rights on a WordPress website we know we are very close to the RCE. Indeed, whether by modifying the theme or adding a module, the execution of arbitrary PHP code is generally not complicated to obtain. In addition, consultants can find many articles on this subject on Google:<\/p>\n

\"Google<\/p>\n

DSecBypass pentesters have managed to become PrestaShop website administrators several times and the lack of literature on the subject, compared to that available for WordPress, prompted them to write this article.<\/p>\n

\"Google<\/p>\n

Learn how to build a PrestaShop module modified to execute arbitrary PHP code during your penetration testing.<\/p>\n

[\/et_pb_text][et_pb_text module_id=”tamper” _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Building the PrestaShop module<\/h2>\n

PrestaShop offers a convenient web interface to create a valid module skeleton: https:\/\/validator.prestashop.com\/generator<\/a>.<\/p>\n

Be careful, this step is important because bad options can make the administration interface or the shop inaccessible. This is why we prefer to generate a module which only interacts with the administration interface and which is not instantiated automatically. If in doubt, test on a locally replicated version of PrestaShop.<\/p>\n

For the exercise, we make sure that the module is not too visible in the list of modules by filling the fields with probable values. Note the “Module name” field that it is better to randomize because it is used to create the folder on the file system and is therefore found in the final URL. In order not to find the name of your pentest company indexed by search engines, it is best to insert a string of random characters here.<\/p>\n

\"Building<\/p>\n

It is best to set “Need instance” to “No” to avoid generating a 500 error on the back office. Concerning the “Compliancy”, adapt it according to the version of the PrestaShop you are targeting. The max value doesn’t really matter because the module code then uses the value of “_PS_VERSION_”.<\/p>\n

\"Building<\/p>\n

From experience, the module is more likely to work with the “Administration panel footer” hook:<\/p>\n

\"Building<\/p>\n

By clicking on “Create” the ZIP archive of the module is downloaded.<\/p>\n

\"Prestashop<\/p>\n

[\/et_pb_text][et_pb_text module_id=”postprocess” _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Modifying the PrestaShop module with a WebShell<\/h2>\n

The goal is to include the PHP code of a WebShell in this newly created plugin.<\/p>\n

It is possible to simply add the PHP file of your favorite WebShell in the archive and upload it. But to stay in the perspective of having a module that is not too suspicious, we modify the “index.php” file accessible at the root of the archive. The only line added in the screenshot below is the underline one.<\/p>\n

\"Modifying<\/p>\n

Warning:<\/span> the webshell used here is for example. Its access is not authenticated which can endanger your client’s infrastructure. Prefer secure webshells or PHP reverse shells.<\/p>\n

Once the archive has been zipped again, we can upload the PrestaShop module containing our WebShell. Just go to the Modules menu in the administration interface. The latter can be complicated to discover since PrestaShop encourages administrators to modify the path to the administrator dashboard. We assume here that readers know this path and have an administrator account.<\/p>\n

\"Modules<\/p>\n

If the module is badly formed (archive badly rebuilt, error in the PHP code) an error may be returned:<\/p>\n

\"Module<\/p>\n

Depending on the type of error, the module may have been deployed successfully but there is a good chance that the “Modules” menu is now broken (error 500). Since it has been deployed, you can still go to your webshell to remove this new module and try to fix the problem.<\/p>\n

If the steps for creating the module have been followed correctly, the following message should instead appear:<\/p>\n

\"PrestaShop<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

WebShell usage<\/h2>\n

Once the PrestaShop module has been correctly uploaded, it should appear in the list of modules (here “Cache management”):<\/p>\n

\"List<\/p>\n

An icon could be added to make it even less visible.<\/p>\n

If an administrator tries to uninstall it, the message entered when creating the module will be displayed in order to dissuade him:<\/p>\n

\"PrestaShop<\/p>\n

We can confirm that the module is well deployed on the file system of our local environment:<\/p>\n

\"WebShell<\/p>\n

So all we have to do is use our WebShell and continue the pentest:<\/p>\n

\"PrestaShop<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

\ud83d\udee1\ufe0f DSecBypass accompanies you on the security audit of your Web applications<\/a>. Do not hesitate to contact <\/a>us for additional information and\/or a personalized quote \ud83d\udcdd.<\/span><\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”https:\/\/www.dsecbypass.com\/en\/contact\/” button_text=”CONTACT US” button_alignment=”center” _builder_version=”4.17.4″ _module_preset=”default” custom_button=”on” button_text_size=”13px” button_bg_color=”#4328b7″ button_border_width=”10px” button_border_color=”#4328b7″ button_border_radius=”0px” button_letter_spacing=”2px” button_font=”Titillium Web|700||on|||||” background_layout=”dark” global_colors_info=”{}”][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

Build a PrestaShop module in order to have an RCE when obtaining administrator access during a pentest.<\/p>\n","protected":false},"author":4,"featured_media":2779,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[34],"tags":[],"class_list":["post-2803","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en"],"_links":{"self":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/2803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/comments?post=2803"}],"version-history":[{"count":14,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/2803\/revisions"}],"predecessor-version":[{"id":3233,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/2803\/revisions\/3233"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media\/2779"}],"wp:attachment":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media?parent=2803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/categories?post=2803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/tags?post=2803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}