ECMall community e-Commerce system(referred to as ECMall)is Shanghai commercial school network Technology Co., Ltd. following the ECShop after the launch of yet another e-Commerce sister products.

Recently saw dark clouds on the storm a ecmall full version file package letter vulnerability, its own early last year to do ecmall secondary development, it also found a local file packet is a letter of vulnerabilities andxss, the wonder and the clouds which is not the same.

Appear place to comparison Cup, is a core file which, in eccore/ecmall. php file. Probably 7 to 8 lines around it.

//Only determine is the app is set, and then removed the ends of the spaces

$app = isset($_REQUEST['app']) ? trim($_REQUEST['app']) : $default_app;

$act = isset($_REQUEST['act']) ? trim($_REQUEST['act']) : $default_act;

//Obviously can be seen that$app is that we can control, since the rear of the connector. app. php so use the time to be truncated.

$app_file = $config['app_root'] . "/{$app}. app.php";

//Should be local to the package function, so the is_file is true

if (! is_file($app_file))


exit('Missing controller');


//Here directly on the package function, so the bottom level of vulnerabilities, I can not say what.


Exp:http://xxxx. com/index. php? app=../data/files/mall/application/store_516_1. jpg%0 0.


To the official show the user pick a few targets to test it out.

To register a user, upload an avatar or any other upload place Upload a single letter in a word picture, the package the letter came in.

The picture path to replace the exp in the path, behind%0 0. Is in front of said truncated 0 0 rear there is a point to see.

Note: the need in the GPC did not open in order to use successfully, so that there's still a little tasteless, not to do bad things, to produce any consequences with himself irrelevant.

Other places there are manyxss, withxssto get the shell's success rate is much higher, because the background can take the shell. Hastily scrawl a comparison of a mess yeah, the laugh of the bird, the opportunity to write other types.