Introduction: Learning
Arbitrary file upload vulnerability affecting versions:
jQuery-File-Upload version <v9.22.1 and Apache> 2.3.9 (the default is no longer supported .htaccess) or others
Remote Command Execution Vulnerability:
Unauthorized file deletion vulnerability
We can look, the following code $success = is_file($file_path) && $file_name[0] !== '.' && unlink($file_path);
, there's $ file_path if we can control, then it is possible to perform unauthorized deletion of a file
public function delete($print_response = true) {
$file_names = $this->get_file_names_params();
//var_dump($file_names);
if (empty($file_names)) { //返回为空,走下面流程
$file_names = array($this->get_file_name_param()); //$file_names 里面存放着$_GET['file']接收的内容
}
$response = array();
foreach ($file_names as $file_name) {
$file_path = $this->get_upload_path($file_name); //取当前文件的路径
$success = is_file($file_path) && $file_name[0] !== '.' && unlink($file_path); //判断当前文件是否为文件
// 并且判断文件名是否以 点 开头,例如.htaccess
if ($success) {
var_dump($this->options['image_versions']);
foreach ($this->options['image_versions'] as $version => $options) {
if (!empty($version)) {
$file = $this->get_upload_path($file_name, $version);
if (is_file($file)) {
unlink($file);
}
}
}
}
$response[$file_name] = $success;
}
return $this->generate_response($response, $print_response);
}
payload:curl -X DELETE "http://127.0.0.1/server/php/index.php?file=文件名
Unfortunately here the file name can not be controlled, only the current file to delete unauthorized use, because get_file_names_params
get_file_name_param function function call in $this->basename(stripslashes($this->get_query_param($name)))
, enter the file name were filtering operation, leading to uncontrolled path
protected function get_file_name_param() {
$name = $this->get_singular_param_name();
return $this->basename(stripslashes($this->get_query_param($name)));
}