Skip to content

zzcms v2018 data:2018-10-19  #1

Open
@615

Description

@615

link: http://www.zzcms.net/about/6.htm
image

Edition: zzcms 2018 data:2018-10-19 /admin/dl_data.php
0x01 Vulnerability
image
There is unlink($fp) to delete any file by controlloing the value of $_GET["filename"]
0x02 Control $fp
We can see
first ==> $_REQUEST['action'])
second ==> if ($action=="del")
so set url ==> action=del&filename=

0x03 payload

Payload is as follows, directly post: action=del&filename=../1.txt

remote attackers can delete arbitrary files via directory traversal
no authentication also can delete file

image

so we can delete /install/install.lock

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions