0x00 Foreword
0x01 arbitrary file upload
1. Vulnerability reproduction
Vulnerability Location: Dashboard "Themes" default "Files
When you click Simpan capture, the src content parameters and parameter modification for the new file name and its contents
ah ha ~
2. Code Analysis
Position: \ fiyocms / dapur / apps / app_theme / libs / save_file.php
from line 27 can be seen using the file_get_contents()
function to c
save the contents of the parameter to f
the parameter files, but not for any treatment c and f, directly by the POST method by value, resulting in an arbitrary file upload vulnerability.
0x02 read arbitrary files
1. Vulnerability reproduction
Vulnerability location: admin "Themes" default "Files
capture clicks index.php
modify parameters, read success
2. Code Analysis
Position: /dapur/apps/app_theme/libs/check_file.php
can be seen from the lines 13 and 14, by get
stitching directly assigned When file path and file name method $file
, and then assigned to $furl
, and directly without any treatment () method reads file_get_contents by line 23 $furl
, there is any file read vulnerability.
0x03 delete any file
1. Vulnerability reproduction
Vulnerability location: admin "Settings" Backup
capture when you click Backup
modify the parameter file
deleted successfully ~ ~
2. Code Analysis
Position: dapur \ apps \ app_config \ controller \ backuper.php
can be seen from the 16th line, when it is determined to delete the backup file types to the database directly through the unlink function, not only by the location of the file and the POST method pass through any value deal with it and ../../../../.backup/
splicing, resulting in vulnerabilities delete any file.