CVE-2021-41938: After entering the management page，there is an arbitrary file upload vulnerability in 3 locations · Issue #64 · gongfuxiang/shopxo

Affects version shopxo 2.2.0
After entering the management page as admininstrator there is an arbitrary file upload vulnerability in 3 locations , you can upload webshell into the site.

The first location:

网站管理->主题管理->主题安装
the post url is /admin.php?s=theme/upload.html
the step is:

1. download the default theme from offical(https://shopxo.store/goods-80.html)
2. unzip the zip
3. Only delete files with “php” suffix due to file security check, new a evil file named phpinfo.pHp or phpinfo.phtml in the “css” folder and the root folder

4. Recompress the file as a new zip file
5. upload it
   you will find the evil file is in public/static/index/<your renamed folder name>/css/phpinfo.pHp and app/index/view/<your renamed folder name>/phpinfo.pHp

The second location:

应用中心->应用管理->上传应用
the post url is /admin.php?s=pluginsadmin/upload.html
like the first location

1. download a casual plugin from offical(https://shopxo.store/goods-75.html) like this
2. unzip the zip
3. new a evil file named phpinfo.php in the controller-><pluginname>->admin folder
4. Recompress the file as a new zip file
5. upload it

you will find the evil file is in app/plugins/freightfee/admin/phpinfo.php

The third location:

手机管理->小程序列表->主题安装
the post url is /admin.php?s=appmini/themeupload.html

the step is

1. new a evil file phpinfo.php and compress the file as a new zip file
2. upload it

you will find the evil file in sourcecode/weixin/phpinfo.php