Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

dolphin

A vulnerability classified as serious was found in DolphinPHP V1.5.1. Operation on parameter ids causes remote command execution

from http://www.dolphinphp.com/getDolphin.html Download the latest version of DolphinPHP V1.5.1 source code From the code audit,We can see that the code in /application/common.php has calls whose parameters can be controlled_ user_ Func method 图片 Where, the controllable parameters are param [1] and log [$param [0]] First, param is the value separated by | And value is actually the traversal of match [1] Match is through regular matching, action_ Info ['log']. This rule is the matching value in brackets, and the final $action_ Info is obtained from database query 图片 图片 But we noticed that we need to bypass the judgment of is_disable_func($param[1]) 图片

Then we find the list of disable function 图片 Then through the shell_exec() method attempts to execute the command Set the log rules of the "Delete Attachment" function in the "Behavior Management" option 图片 Modify the rule to [details|shell_exec] test ([details]) and Modify the module to "System"(notice:not user) 图片 When deleting an attachment, execute the command through ids[]=calc%26&ids[]=x(X is the attachment id) 图片 图片 图片