ps_version_hunter.py fingerprints a PrestaShop installation by comparing the
versions of its native modules against the module versions bundled with a known
PrestaShop release tag.
The tool uses the official PrestaShop GitHub repositories as the source of truth:
- It downloads
composer.lockfrom the selectedPrestaShop/PrestaShoptag. - It extracts every package whose type is
prestashop-module. - For each module, it reads the exact source commit reference from the lockfile.
- It downloads that module repository's
config.xmlat the locked commit. - It extracts the module version from the XML.
- Optionally, it fetches the same module
config.xmlfrom a live target and compares the two versions.
This is useful when a target does not expose the PrestaShop core version directly but still exposes native module metadata.
- Python 3
requestsurllib3
Install the Python dependencies with:
pip install requests urllib3python3 ps_version_hunter.py 1.7.2.5This fetches:
https://raw.githubusercontent.com/PrestaShop/PrestaShop/1.7.2.5/composer.lock
Then it prints each native module found in that lockfile, the expected module
version from its upstream config.xml, and the locked commit hash prefix.
Example output:
[*] Fetching baseline composer.lock for PrestaShop tag 1.7.2.5...
[*] Found 67 native modules.
[*] Fetching config.xml for each from GitHub...
MODULE NAME | REPO VER | COMMIT HASH
------------------------------------------------------------
ps_banner | 2.0.1 | abc1234
ps_contactinfo | 2.1.0 | def5678
python3 ps_version_hunter.py 1.7.2.5 --url https://shop.example.comFor every native module bundled with the selected tag, the script requests:
https://shop.example.com/modules/<module_name>/config.xml
It then compares the live module version with the version expected for that PrestaShop tag.
Example output:
MODULE NAME | REPO VER | LIVE VER | MATCH?
----------------------------------------------------------------------
ps_banner | 2.0.1 | 2.0.1 | YES
ps_contactinfo | 2.1.0 | 2.0.0 | NO
ps_emailsubscription | 2.6.0 | Not Found (404) | -
----------------------------------------------------------------------
[-] MISMATCH: At least one module did not match. (Matched 1/3)
Mismatch summary:
YES: the live module version exactly matches the version from the selected PrestaShop tag.NO: the live module version was readable, but it differs from the expected version.-: the script could not make a meaningful comparison because the live module metadata was missing, blocked, invalid, or unreachable.
Live fetch statuses include:
Blocked (403): the target denied access to the moduleconfig.xml.Not Found (404): the moduleconfig.xmlwas not found on the target.Connection Err: the request to the target failed.XML Parse Err: the target returned content that could not be parsed as a valid moduleconfig.xml.Err (<status>): the target returned another HTTP status code.
- The selected tag must exist in the official
PrestaShop/PrestaShoprepository and must contain a readablecomposer.lock. - The script only considers Composer packages named
prestashop/*withtypeset toprestashop-module. - A full match strongly suggests that the target is consistent with the selected PrestaShop tag, but it is not a cryptographic proof of the core version. Modules can be upgraded, downgraded, removed, hidden, or patched independently from the PrestaShop core.
- Live target requests use a 5 second timeout.
- TLS certificate verification is disabled for live target scanning so the tool can inspect misconfigured HTTPS sites. Use it only on systems you are authorized to test.
usage: ps_version_hunter.py [-h] [--url URL] tag
PrestaShop Version Hunter & Live Diff Tool
positional arguments:
tag The PrestaShop core tag to baseline against (e.g., 1.7.2.0)
options:
-h, --help show this help message and exit
--url URL Optional target URL to cross-reference live modules


