[FREE TOOL] Viking Production CVE Pentester 1.7.x / 8.x – Advanced PrestaShop Security Audit Suite

[Viking Production]

Hello PrestaShop community,

I'm releasing a profesionnal dedicated penetration testing tool i used since years for PrestaShop 1.7.x ( and on a couple of days 8.x  ) – designed for integrators, freelancers, hosting providers, and security teams who need to go beyond basic automated scanners.

The goal: Simulate a real attacker on your PrestaShop instance (legally, with proper authorization) and generate a professional PDF report that developers, sysadmins, and CISOs can actually use.

 

🎯 What the tool does

Core capabilities:

• Identifies critical vulnerabilities (SQLi, RCE, XXE, SSRF, etc.) specific to PrestaShop installations
• Audits system configuration (file permissions, backdoors, Lynis integration)
• Maps known CVEs through a dedicated, editable JSON database
• Generates 15-30 page PDF reports with CVSS scores, proof-of-concept evidence, and prioritized remediation

Not a replacement for full manual pentesting – think of it as a productivity booster to quickly identify the most dangerous issues.

 

🔧 Key Features

✅ Web Application Penetration Tests :

• SQL Injection: Time-based, Error-based, Boolean-based, Union-based
• XXE: XML External Entity attacks  
• SSRF: Server-Side Request Forgery
• RCE: Remote Code Execution via PHP deserialization
• Command Injection: OS command injection vectors
• Authentication Bypass: Back-office login bypass attempts
• Open Redirect & CORS misconfigurations
• Session security (cookies, HttpOnly, Secure flags)
• SSL/TLS weak protocol detection
• Rate limiting & brute-force protection checks

🔍 System-Level Audit :

• Lynis integration (full Linux hardening audit)
• Automatic spidering (endpoint discovery)
• Vulnerable module detection
• Sensitive file exposure checks
• Backdoor hunting (known malicious patterns)
• Dangerous file permission scanning
• Database prefix verification

📊 PDF Reporting :

• 15-30 page PDF with Viking Production branding
• CVSS v3.1 risk scoring (0-10 scale)
• Executive summary for management
• Technical details + remediation steps
• Prioritized action plan (P0/P1/P2)
• Proof-of-concept payloads (sanitized)

🚀 Quick Demo (Less than 2 minutes) :

# Standard audit (safe for production)
python3 cve.py https://your-prestashop.tld

# Full system audit + Lynis
python3 cve.py https://your-prestashop.tld --path /var/www/prestashop

# Generates: prestashop_security_report.pdf

Sample output: Identifies PrestaShop version → Maps applicable CVEs → Tests vectors → Delivers PDF report.

 

🗄️ Extensible CVE Database :

The tool uses a JSON CVE database you can customize:

{
  "id": "CVE-2022-31181",
  "title": "SQL Injection Smarty Cache",
  "cvss_score": 9.8,
  "affected_versions": ["1.7.0.0", "1.7.8.6"],
  "payloads": ["<sanitized_payloads>"],
  "remediation": "Update to 1.7.8.7+"
}

🎁 Why this tool?

• PrestaShop-specific: Tests actual CVEs affecting 1.7.x/8.x
• Production-ready reports: Not just "vulnerable/not vulnerable"
• Developer-friendly: Clear payloads, remediation steps
• Sysadmin integration: Lynis + file system checks
• Free & open-source: MIT license
• Actively maintained: 2026 roadmap includes 8.x support, ML anomaly detection

 

📚 Resources :

GitHub: https://github.com/VikingProduction/CVE-prestashop.1-7.X-pentester
README available in French & English

 

⚖️ IMPORTANT: Legal & Responsible Use Only

✅ Authorized use:

• Your own PrestaShop installations
• Client sites with written permission
• Staging/test environments
• Contractual security assessments

❌ Strictly prohibited:

• Testing third-party sites without authorization
• Production sites without owner consent
• Any illegal access attempts
• Law compliance of your country, in france: Article 323-1 Code Pénal, GDPR, NIS Directive.

 

Questions? Need help with a specific CVE? Want to contribute new tests? Reply here or open an issue!

Stay secure,
Viking Production

[Prestashop Addict]

Hi, thank you for this tool. BUT in your source code you give explicitly exploits, that will help attackers 😞

[wepresta]

Hello,

Be careful not to delegate too much to AI we can see quite a few traces of unchecked “vibe coding” here (leftover original comments, avoidable logic errors, etc.). The tool is powerful, but it does not replace a proper self-review. A quick manual check would help avoid these basic mistakes that undermine the quality of the script.

 

[Viking Production]

22 hours ago, Prestashop Addict said:

Hi, thank you for this tool. BUT in your source code you give explicitly exploits, that will help attackers 😞

Hello dude, all the explicitly exploits are described on the CVE list so basically it's the responssibility of the owner to maintain their shop updated.

 

22 hours ago, wepresta said:

Hello,

Be careful not to delegate too much to AI we can see quite a few traces of unchecked “vibe coding” here (leftover original comments, avoidable logic errors, etc.). The tool is powerful, but it does not replace a proper self-review. A quick manual check would help avoid these basic mistakes that undermine the quality of the script.

 

I've effectly passed on copilot for code reviewing. The tool will be maintained by myself, i'll passed it to multi threading and i agree that we need to recheck manually after the pentest to be sure of the accuracy of the CVE tested and reported. Btw if you see any improvments let me know !

Edited January 27 by Viking Production (see edit history)

[Prestashop Addict]

In your report you mention url concerned, but for modules you dont specify version impacted by CVE. This can produce false positives and anxious reaction to the site owner 😉

[Viking Production]

2 hours ago, Prestashop Addict said:

In your report you mention url concerned, but for modules you dont specify version impacted by CVE. This can produce false positives and anxious reaction to the site owner 😉

yes that's right and i'am currently working on with more CVE included and some fixed (see dev)

Edited January 26 by Viking Production (see edit history)

[Viking Production]

This repository has been temporarily set to private mode to ensure compliance with French legislation, particularly Article 323-3-1 of the French Penal Code regarding the distribution of security testing tools.

Why this change?

French regulations impose strict conditions on the publication of penetration testing tools. While this project has a legitimate security research purpose, the presence of certain automated exploitation payloads, particularly the most aggressive ones, could be interpreted as providing tools specifically designed to commit computer-related offenses.

 

Next steps

A refactoring of the project is underway to:

• Remove all payloads that could directly compromise the security of PrestaShop installations in production
• Retain only non-intrusive detection and analysis components
• Document a strict professional use framework requiring prior written authorization
• Implement a responsible disclosure protocol for discovered vulnerabilities