Skip to content

I3IT/PrestaShop.Version.Hunter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

PrestaShop Version Hunter

ps_version_hunter.py fingerprints a PrestaShop installation by comparing the versions of its native modules against the module versions bundled with a known PrestaShop release tag.

The tool uses the official PrestaShop GitHub repositories as the source of truth:

  1. It downloads composer.lock from the selected PrestaShop/PrestaShop tag.
  2. It extracts every package whose type is prestashop-module.
  3. For each module, it reads the exact source commit reference from the lockfile.
  4. It downloads that module repository's config.xml at the locked commit.
  5. It extracts the module version from the XML.
  6. Optionally, it fetches the same module config.xml from a live target and compares the two versions.

This is useful when a target does not expose the PrestaShop core version directly but still exposes native module metadata.

Requirements

  • Python 3
  • requests
  • urllib3

Install the Python dependencies with:

pip install requests urllib3

Usage

List Native Module Versions for a PrestaShop Tag

python3 ps_version_hunter.py 1.7.2.5

This fetches:

https://raw.githubusercontent.com/PrestaShop/PrestaShop/1.7.2.5/composer.lock

Then it prints each native module found in that lockfile, the expected module version from its upstream config.xml, and the locked commit hash prefix.

Example output:

Baseline module version extraction

[*] Fetching baseline composer.lock for PrestaShop tag 1.7.2.5...
[*] Found 67 native modules.
[*] Fetching config.xml for each from GitHub...

MODULE NAME                  | REPO VER   | COMMIT HASH
------------------------------------------------------------
ps_banner                    | 2.0.1      | abc1234
ps_contactinfo               | 2.1.0      | def5678

Compare a Live Target Against a Tag

python3 ps_version_hunter.py 1.7.2.5 --url https://shop.example.com

For every native module bundled with the selected tag, the script requests:

https://shop.example.com/modules/<module_name>/config.xml

It then compares the live module version with the version expected for that PrestaShop tag.

Example output:

Live target module comparison

MODULE NAME                | REPO VER   | LIVE VER        | MATCH?
----------------------------------------------------------------------
ps_banner                  | 2.0.1      | 2.0.1           | YES
ps_contactinfo             | 2.1.0      | 2.0.0           | NO
ps_emailsubscription       | 2.6.0      | Not Found (404) | -
----------------------------------------------------------------------
[-] MISMATCH: At least one module did not match. (Matched 1/3)

Mismatch summary:

Mismatch summary

Match Status

  • YES: the live module version exactly matches the version from the selected PrestaShop tag.
  • NO: the live module version was readable, but it differs from the expected version.
  • -: the script could not make a meaningful comparison because the live module metadata was missing, blocked, invalid, or unreachable.

Live fetch statuses include:

  • Blocked (403): the target denied access to the module config.xml.
  • Not Found (404): the module config.xml was not found on the target.
  • Connection Err: the request to the target failed.
  • XML Parse Err: the target returned content that could not be parsed as a valid module config.xml.
  • Err (<status>): the target returned another HTTP status code.

Notes and Limitations

  • The selected tag must exist in the official PrestaShop/PrestaShop repository and must contain a readable composer.lock.
  • The script only considers Composer packages named prestashop/* with type set to prestashop-module.
  • A full match strongly suggests that the target is consistent with the selected PrestaShop tag, but it is not a cryptographic proof of the core version. Modules can be upgraded, downgraded, removed, hidden, or patched independently from the PrestaShop core.
  • Live target requests use a 5 second timeout.
  • TLS certificate verification is disabled for live target scanning so the tool can inspect misconfigured HTTPS sites. Use it only on systems you are authorized to test.

Script Reference

usage: ps_version_hunter.py [-h] [--url URL] tag

PrestaShop Version Hunter & Live Diff Tool

positional arguments:
  tag         The PrestaShop core tag to baseline against (e.g., 1.7.2.0)

options:
  -h, --help  show this help message and exit
  --url URL   Optional target URL to cross-reference live modules

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages