[*] :: Title: Shopist | Laravel Multivendor eCommerce, CMS and Designer v2.4.7 WebShell Upload & Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-14
[*] :: Software: Shopist | Laravel Multivendor eCommerce, CMS and Designer v2.4.7
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering and .PHP files upload has been discovered in the «Shopist | Laravel Multivendor eCommerce, CMS and Designer» web-application, current version is 2.4.7.
[?] :: Demo Website:
# Backend (admin): http://shopist.awesomewaterfall.com/admin/login
# Login/Password (admin): firstname.lastname@example.org/123456
[!] :: Special Note:
# 429 Sales
# Try to upload any zip-bomb and soon server will throw a system error with sensitive data like database credentials, full path disclosure etc. etc.: REDIRECT_SERVER_ADDR -> 188.8.131.52 | DB_DATABASE -> awesomew_shopist_testing | DB_USERNAME -> awesomew_shopist | DB_PASSWORD -> b5foO$d5I[@b
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Links]:
[+] :: PoC #1 [WebShell Upload]:
# Authorize on the demo website for tests: http://shopist.awesomewaterfall.com/admin/login (login/password is email@example.com/123456). Then go to the language settings page: http://shopist.awesomewaterfall.com/admin/settings/languages
# You'll see the upload form and list of supported languages. Scroll down the page and press «Edit» menu link on any existed language. Upload form will accept from you any .ZIP file (plus each .ZIP file will be auto unpacked!), but don't be too quick over here. Demo website «secured» by firewall (so at least use the «Tor» browser), plus on any unpacked .PHP file from your .ZIP archive you'll see the 404 error page. It's possible to bypass this measure by including any directory inside your .ZIP archive, f.e.: dir1/dir2/payload.php. Upload form will throw an error message about image - ignore it, all your files will be uploaded anyway. After the successful upload you can find your unpacked files here: http://shopist.awesomewaterfall.com/resources/lang/ (so «bypassed» link to your .PHP file will be http://shopist.awesomewaterfall.com/resources/lang/dir1/dir2/payload.php w/o any errors).
[+] :: PoC #2 [Stored XSS Injection]:
# Authorize on the demo website for tests: http://shopist.awesomewaterfall.com/admin/login (login/password is firstname.lastname@example.org/123456). Then go to the «Add New Page» page or «Add New Post» page: http://shopist.awesomewaterfall.com/admin/page/add / http://shopist.awesomewaterfall.com/admin/blog/add
# «Title» input fields are ready for your payloads. Start injections from "> symbols, write down your payloads and save the data.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: "><script>location='https://twitter.com/quixss';</script>