Headline
CVE-2023-1185: ecshop v4.1.8 file upload vulnerability · Issue #2 · wjzdalao/ecshop4.1.8
A vulnerability, which was classified as problematic, was found in ECshop up to 4.1.8. This affects an unknown part of the component New Product Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222357 was assigned to this vulnerability.
EcShop v4.1.8 File Upload Vulnerability
Environment construction:
Download the source code of v4.1.8 to build
Vulnerability recurrence:
After the construction is completed, we can visit http://domain/admin Use ECshop account to enter the background
Enter the necessary name, NO and Shop price under product ->New product and submit it. Add a line under burpsuite
-----------------------------424530281912821893691310326676
Content-Disposition: form-data; name="file_url[0]“; filename="shell.php”
Content-Type: image/ipeg
Then the request package is sent to show that it was added successfully. View the local file and find that the php file was uploaded successfully.
The vulnerability here is that the source/ecshop/admin/goods.php accessed during POST submission does not filter the upload.
And we can see that the file upload path is under our control.
While 'filename’, ‘the uploaded year and month’ are under our control. The number in front is only the serial number of the product, so you can access the php file by simply cracking the serial number from 1. For example, the file of shell.php uploaded here is located at /uploadfile/202302/137_ 25a452927110e39a345a2511c57647f2.php.And The following content is only the md5 value of shell. php.
Finally, we can easily access and execute commands.