Shopist | Laravel Multivendor eCommerce, CMS and Designer v2.4.7 WebShell Upload & Stored XSS Injection - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1608014 漏洞类型
发布时间 2019-05-14 更新时间 2019-05-14
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019050149
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
[*] :: Title: Shopist | Laravel Multivendor eCommerce, CMS and Designer v2.4.7 WebShell Upload & Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-14
[*] :: Software: Shopist | Laravel Multivendor eCommerce, CMS and Designer v2.4.7
  
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering and .PHP files upload has been discovered in the «Shopist | Laravel Multivendor eCommerce, CMS and Designer» web-application, current version is 2.4.7.

[?] :: Demo Website:
# https://codecanyon.net/item/shopist-laravel-ecommerce/17475699
# Backend (admin): http://shopist.awesomewaterfall.com/admin/login
# Login/Password (admin): a@a.com/123456

[!] :: Special Note:
# 429 Sales
# Try to upload any zip-bomb and soon server will throw a system error with sensitive data like database credentials, full path disclosure etc. etc.: REDIRECT_SERVER_ADDR -> 23.92.74.62 | DB_DATABASE -> awesomew_shopist_testing | DB_USERNAME -> awesomew_shopist | DB_PASSWORD -> b5foO$d5I[@b

[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.

[+] :: PoC [Links]:
# http://shopist.awesomewaterfall.com/resources/lang/quixss.html
# http://shopist.awesomewaterfall.com/resources/assets/js/up-dir.php
# http://shopist.awesomewaterfall.com/public/designer/icons/up-dir.php
# http://shopist.awesomewaterfall.com/public/slick/fonts/up-dir.php

[+] :: PoC #1 [WebShell Upload]:
# Authorize on the demo website for tests: http://shopist.awesomewaterfall.com/admin/login (login/password is a@a.com/123456). Then go to the language settings page: http://shopist.awesomewaterfall.com/admin/settings/languages
# You'll see the upload form and list of supported languages. Scroll down the page and press «Edit» menu link on any existed language. Upload form will accept from you any .ZIP file (plus each .ZIP file will be auto unpacked!), but don't be too quick over here. Demo website «secured» by firewall (so at least use the «Tor» browser), plus on any unpacked .PHP file from your .ZIP archive you'll see the 404 error page. It's possible to bypass this measure by including any directory inside your .ZIP archive, f.e.: dir1/dir2/payload.php. Upload form will throw an error message about image - ignore it, all your files will be uploaded anyway. After the successful upload you can find your unpacked files here: http://shopist.awesomewaterfall.com/resources/lang/ (so «bypassed» link to your .PHP file will be http://shopist.awesomewaterfall.com/resources/lang/dir1/dir2/payload.php w/o any errors).

[+] :: PoC #2 [Stored XSS Injection]:
# Authorize on the demo website for tests: http://shopist.awesomewaterfall.com/admin/login (login/password is a@a.com/123456). Then go to the «Add New Page» page or «Add New Post» page: http://shopist.awesomewaterfall.com/admin/page/add / http://shopist.awesomewaterfall.com/admin/blog/add
# «Title» input fields are ready for your payloads. Start injections from "> symbols, write down your payloads and save the data.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: "><script>location='https://twitter.com/quixss';</script>