| Título | ECshop v4.1.8 remote code execution vulnerability |
|---|
| Descrição | ECshop v4.1.8 (https://www.ecshop.com/) has a RCE vulnerability,and attacker can easily remote execute code to get a shell.
Detail can be seen in https://github.com/wjzdalao/ecshop4.1.8/issues/1
And source code can be download at https://www.ecshop.com/download or https://www.ecshopjcw.com/ecshopxiazai.html or my github https://github.com/wjzdalao/ecshop4.1.8
some details:
After the construction is completed, we can visit http://domain/admin Use ECshop account to enter the Website background
Select a backup database under Database ->backup. After opening it, you can see its header and footer format.
In the same format, we can construct the commands we want the database to execute.
After construction, select the constructed sql file in Database ->backup ->Restore backup and submit it
At this time, shell.php is successfully written under the target folder
The is that the content of the uploaded sql file is filtered in admin/database.php when uploading the sql file, but it can still be inserted into the table of the database through hexadecimal, and then read the data in the table to bypass.
After a successful upload, the command will be automatically executed.
At the same time, when uploading the sql file, it will be automatically replaced '\r\n' to ' ', then we can't bypass the filter.And while the line feed in Windows is '\r\n' so if you need to manually change it to '\n' in Windows.
More details and photos in the issues. |
|---|
| Fonte | ⚠️ https://github.com/wjzdalao/ecshop4.1.8/issues/1 |
|---|
| Utilizador | OreoZe (UID 41670) |
|---|
| Submissão | 27/02/2023 17h33 (há 3 anos) |
|---|
| Moderação | 06/03/2023 08h04 (7 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 222356 [ECshop até 4.1.8 Backup Database admin/database.php Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|