Open
Description
Affects version shopxo 2.2.0
After entering the management page as admininstrator there is an arbitrary file upload vulnerability in 3 locations , you can upload webshell into the site.
The first location:
网站管理->主题管理->主题安装
the post url is /admin.php?s=theme/upload.html
the step is:
- download the default theme from offical(https://shopxo.store/goods-80.html)
- unzip the zip
- Only delete files with "php" suffix due to file security check, new a evil file named phpinfo.pHp or phpinfo.phtml in the "css" folder and the root folder
- Recompress the file as a new zip file
- upload it
you will find the evil file is inpublic/static/index/<your renamed folder name>/css/phpinfo.pHpandapp/index/view/<your renamed folder name>/phpinfo.pHp
The second location:
应用中心->应用管理->上传应用
the post url is /admin.php?s=pluginsadmin/upload.html
like the first location
- download a casual plugin from offical(https://shopxo.store/goods-75.html) like this
- unzip the zip
- new a evil file named phpinfo.php in the
_controller_-><pluginname>->adminfolder - Recompress the file as a new zip file
- upload it
you will find the evil file is in app/plugins/freightfee/admin/phpinfo.php
The third location:
手机管理->小程序列表->主题安装
the post url is /admin.php?s=appmini/themeupload.html
the step is
- new a evil file
phpinfo.phpand compress the file as a new zip file - upload it
you will find the evil file in sourcecode/weixin/phpinfo.php
Metadata
Assignees
Labels
No labels