File Download in phpyun V4.6


There is anissue discovered in phpyun V4.6.The vulnerable code is in /admin/model/database.class.php.It mishandles get parameter.

Affected component

The vulnerable code is in function down_sql_action() in /admin/model/database.class.php

Parameter name and sy_weburl compose the file path.Parameter name in /data/plus/config.php,can be changed in administrator interface.

Because it mishandle the parameter name,so we can hack it.

Attack vector

Enter the administrator interface,basic settings,change the site of website to the absolute site of source code.(It’s easy to guss /var/www/html when in Linux)


Get the code successfully.