0%

File Download in phpyun V4.6

Summary

There is anissue discovered in phpyun V4.6.The vulnerable code is in /admin/model/database.class.php.It mishandles get parameter.

Affected component

The vulnerable code is in function down_sql_action() in /admin/model/database.class.php

Parameter name and sy_weburl compose the file path.Parameter name in /data/plus/config.php,can be changed in administrator interface.

Because it mishandle the parameter name,so we can hack it.

Attack vector

Enter the administrator interface,basic settings,change the site of website to the absolute site of source code.(It’s easy to guss /var/www/html when in Linux)

poc:/admin/index.php?m=database&c=down_sql&name=../../index.php


Get the code successfully.