Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

##Poc of Directory Traversal in LaobanCMS V2.0 ###Precondition Do not need to login the cms, make sure the file xxx.com/install/mysql_hy.php is exists (http code is 200) then the Vulnerability can be use.
###Details In install/mysql_hy.php, the developer didn't filter the parameter $riqi and $i before using.
See the pic below

In line 6, we can see the parameter $riqi is join with ../data/ as the result of parameter $sql_path.
In line 7, the $sql_path use as the parameter of PHP function scandir()
In php, scandir() is used to list files and directories inside the specified path, and return an array of files and directories from the directory.
In line 9, the $i in $sqls[$i] is defined in line 5, and the attacker can control it. And the result of $sqls[$i] is given to $table.
In line 11, you can see, the parameter $table is echo directly. ###construction of poc the poc use two parameter in the url requesting arguments towards install/mysql_hy.php
riqi --> the directory you want to attack
i --> the index use in php function scandir()
In the picture below, i use ../../../../../../ as riqi and 3 - 8 as the index i. And my test server is ubuntu, so, you can see the folder name of the parent path.(like boot, boot, dev, etc)
Below is test in windows