dolphin
A vulnerability classified as serious was found in DolphinPHP V1.5.1. Operation on parameter ids causes remote command execution
from http://www.dolphinphp.com/getDolphin.html Download the latest version of DolphinPHP V1.5.1 source code From the code audit,We can see that the code in /application/common.php has calls whose parameters can be controlled_ user_ Func method
Where, the controllable parameters are param [1] and log [$param [0]]
First, param is the value separated by |
And value is actually the traversal of match [1]
Match is through regular matching, action_ Info ['log']. This rule is the matching value in brackets, and the final $action_ Info is obtained from database query
But we noticed that we need to bypass the judgment of is_disable_func($param[1])

Then we find the list of disable function
Then through the shell_exec() method attempts to execute the command
Set the log rules of the "Delete Attachment" function in the "Behavior Management" option
Modify the rule to [details|shell_exec] test ([details]) and Modify the module to "System"(notice:not user)
When deleting an attachment, execute the command through ids[]=calc%26&ids[]=x(X is the attachment id)
