Open
Description
link: http://www.zzcms.net/about/6.htm

Edition: zzcms 2018 data:2018-10-19 /admin/dl_data.php
0x01 Vulnerability

There is unlink($fp) to delete any file by controlloing the value of $_GET["filename"]
0x02 Control $fp
We can see
first ==> $_REQUEST['action'])
second ==> if ($action=="del")
so set url ==> action=del&filename=
0x03 payload
Payload is as follows, directly post: action=del&filename=../1.txt
remote attackers can delete arbitrary files via directory traversal
no authentication also can delete file
so we can delete /install/install.lock
Metadata
Metadata
Assignees
Labels
No labels
