Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

user/del.php

Edition: zzcms8.3 user/del.php

0x01 Vulnerability

enter description here

There is unlink($f) to delete any file by controlling the value of $f

0x02 Control $f

This variable is obtained by querying the img path in the zzcms_main data table. So first write the relative path to the file to be deleted in the zzcms_main table.

0x03 Insert data into zzcms_main

Code positions to user/zssave.php

enter description here

Payload is as follows, directly post action=add&img=/user/index.php

enter description here

0x04 Delete Files

This requires a burst of id (id value can be blown)

enter description here

enter description here

delete user/index.php successfully