| Titel | ECshop v4.1.8 file upload vulnerability |
|---|
| Beschreibung | ECshop v4.1.8 (https://www.ecshop.com/) has a file upload vulnerability,and attacker can upload a .php file then remote execute code to get a shell.
Detail can be seen in https://github.com/wjzdalao/ecshop4.1.8/issues/2
And source code can be download at https://www.ecshop.com/download or https://www.ecshopjcw.com/ecshopxiazai.html or my github https://github.com/wjzdalao/ecshop4.1.8
some details :
After the construction is completed, we can visit http://domain/admin Use ECshop account to enter the background
Enter the necessary name, NO and Shop price under product ->New product and submit it. Add a line under burpsuite
-----------------------------424530281912821893691310326676
Content-Disposition: form-data; name="file_url[0]"; filename="shell.php"
Content-Type: image/ipeg
Then the request package is sent to show that it was added successfully. View the local file and find that the php file was uploaded successfully.
And the file upload path is under our control.
While 'filename', 'the uploaded year and month' are under our control. The number in front is only the serial number of the product, so you can access the php file by simply cracking the serial number from 1. For example, the file of shell.php uploaded here is located at /uploadfile/202302/137_ 25a452927110e39a345a2511c57647f2.php.And The following content is only the md5 value of shell. php.
Finally, we can easily access and execute commands. |
|---|
| Quelle | ⚠️ https://github.com/wjzdalao/ecshop4.1.8/issues/2 |
|---|
| Benutzer | OreoZe (UID 41670) |
|---|
| Einreichung | 27.02.2023 17:29 (vor 3 Jahren) |
|---|
| Moderieren | 06.03.2023 08:05 (7 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 222357 [ECshop bis 4.1.8 New Product erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|