Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
公司:上海匡创信息技术有限公司
发现者:Tom
漏洞代码路径:zb_users/plugin/AppCentre/app_del.php
代码处:
if($blogversion>=151525){ $app=$zbp->LoadApp($_GET['type'], $_GET['id']); if($app->type == $_GET['type']){ if($app->CanDel()){ $app->Del(); } } }else{ function rrmdir($dir) { if (is_dir($dir)) { $objects = scandir($dir); foreach ($objects as $object) { if ($object != '.' && $object != '..') { if (filetype($dir . '/' . $object) == 'dir') { rrmdir($dir . '/' . $object); } else { unlink($dir . '/' . $object); } } } reset($objects); rmdir($dir); } }
如果满足判断条件 之下CanDel() 删除方法
如果不满足执行else下面删除方法
Del()方法在app.php里调用
zb_system\function\lib\app.php
行数618-622
public function Del() { global $zbp; rrmdir($zbp->usersdir . $this->type . '/' . $this->id); $this->DelCompiled(); }
Poc漏洞实现地址:127.0.0.1/zb_users/plugin/AppCentre/app_del.php
测试过程:
管理后台登录后复制Poc连接,打开链接后会删除zb_users目录造成网站缺少文件崩溃
条件:
需要管理员登录
The text was updated successfully, but these errors were encountered:
漏洞已确认,应用中心存在的CSRF漏洞也将一并被修复
Sorry, something went wrong.
该漏洞临时修补方案已发布,后台更新应用中心插件即可解决。我们将继续调整并排查系统内相关问题,之后将发布安全公告。
另:安全漏洞,希望今后向我们的邮箱发布,避免公开发布导致漏洞利用方式被泄露,谢谢。
https://blog.zblogcn.com/2018/02/08/98/
zsxsoft
No branches or pull requests
公司:上海匡创信息技术有限公司
发现者:Tom
漏洞代码路径:zb_users/plugin/AppCentre/app_del.php
代码处:
如果满足判断条件 之下CanDel() 删除方法
如果不满足执行else下面删除方法
Del()方法在app.php里调用
zb_system\function\lib\app.php
行数618-622
Poc漏洞实现地址:127.0.0.1/zb_users/plugin/AppCentre/app_del.php
测试过程:
管理后台登录后复制Poc连接,打开链接后会删除zb_users目录造成网站缺少文件崩溃
条件:
需要管理员登录
The text was updated successfully, but these errors were encountered: