Advertisement
| CVE | Category | Price | Severity |
|---|---|---|---|
| Author | Risk | Exploitation Type | Date |
|---|---|---|---|
[*] :: Title: Shopist | Laravel Multivendor eCommerce, CMS and Designer v2.4.7 WebShell Upload & Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-14
[*] :: Software: Shopist | Laravel Multivendor eCommerce, CMS and Designer v2.4.7
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering and .PHP files upload has been discovered in the Shopist | Laravel Multivendor eCommerce, CMS and Designer web-application, current version is 2.4.7.
[?] :: Demo Website:
# https://codecanyon.net/item/shopist-laravel-ecommerce/17475699
# Backend (admin): http://shopist.awesomewaterfall.com/admin/login
# Login/Password (admin): [email protected]/123456
[!] :: Special Note:
# 429 Sales
# Try to upload any zip-bomb and soon server will throw a system error with sensitive data like database credentials, full path disclosure etc. etc.: REDIRECT_SERVER_ADDR -> 23.92.74.62 | DB_DATABASE -> awesomew_shopist_testing | DB_USERNAME -> awesomew_shopist | DB_PASSWORD -> b5foO$d5I[@b
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Links]:
# http://shopist.awesomewaterfall.com/resources/lang/quixss.html
# http://shopist.awesomewaterfall.com/resources/assets/js/up-dir.php
# http://shopist.awesomewaterfall.com/public/designer/icons/up-dir.php
# http://shopist.awesomewaterfall.com/public/slick/fonts/up-dir.php
[+] :: PoC #1 [WebShell Upload]:
# Authorize on the demo website for tests: http://shopist.awesomewaterfall.com/admin/login (login/password is [email protected]/123456). Then go to the language settings page: http://shopist.awesomewaterfall.com/admin/settings/languages
# You'll see the upload form and list of supported languages. Scroll down the page and press Edit menu link on any existed language. Upload form will accept from you any .ZIP file (plus each .ZIP file will be auto unpacked!), but don't be too quick over here. Demo website secured by firewall (so at least use the Tor browser), plus on any unpacked .PHP file from your .ZIP archive you'll see the 404 error page. It's possible to bypass this measure by including any directory inside your .ZIP archive, f.e.: dir1/dir2/payload.php. Upload form will throw an error message about image - ignore it, all your files will be uploaded anyway. After the successful upload you can find your unpacked files here: http://shopist.awesomewaterfall.com/resources/lang/ (so bypassed link to your .PHP file will be http://shopist.awesomewaterfall.com/resources/lang/dir1/dir2/payload.php w/o any errors).
[+] :: PoC #2 [Stored XSS Injection]:
# Authorize on the demo website for tests: http://shopist.awesomewaterfall.com/admin/login (login/password is [email protected]/123456). Then go to the Add New Page page or Add New Post page: http://shopist.awesomewaterfall.com/admin/page/add / http://shopist.awesomewaterfall.com/admin/blog/add
# Title input fields are ready for your payloads. Start injections from "> symbols, write down your payloads and save the data.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: "><script>location='https://twitter.com/quixss';</script>
Copyright ©2024 Exploitalert.