0%

File Deletion in phpyun V4.6

Sketch

File deletion vulnerability.There is no filterling for get parameter when we want to delete the backup of database files.So we can delete any file or dir.we can also delete the lock of installation.

Reappearance

  1. Download the latest version and install it from official website.

  2. Login administrator interface and locate this url,then choice Database file backup.

http://www.test.com/admin/index.php?m=database

the backup dir is located in /data/plus/bdata

created a new dir named 123,and create a new file named 1.txt

then visit http://www.test.com/admin/index.php?m=database&c=backin

catch the data packet,then modify parameter sql to ../123

forward it and we amazedly find the dir 123 has been deleted

Explain

The Vulnerable code is located in V4.6_20180920,/admin/model/database.class.php

in function del_action()

Line 111 check token to avoid csrf.Line 112-113 get the parameter sql to complement the path.Line 114-118 get all the dir and subdir then delete them.

The filterling of get parameter is not strick.../ can pass it.The filterling of get parameter is located in db.safety.php