Arbitrary file deletion in DedeCMS V5.7.104
Vulnerability Location:/de/album_ add.php
Lines 237-250
Code Analysis:
- The $AlbumUploadFiles data is not empty and enters the if
Remove backslashes from Striplashes and convert the content of AlbumUploadFiles to json format
-
Foreach loop files array content
-
DEDEDATA is a constant that is the current absolute path/data/uploadtmp, which will be moved to this directory
5.$tmpfile = $uploadtmp./ Our file name
-
Sections 244-249 did not perform any operations on $tmpfile
-
In line 249, $tmpfile=$uploadtmp/ Our file name is moved to the file we created in 244-249
8.250 There are no restrictions on deleting files from $tmpFile
Vulnerability recurrence:
Fill in the content and choose the location to upload our png image manually. Turn it upside down and click OK directly
Click OK to display this page
- Use the burp tool to capture packets, modify data, and capture data. The current page will have data transmission by default
Flip down after grabbing
Here is the obtained json format data. We can manually modify our 1-21442Y3V.png file. So here is the temporary file name uploaded above, which will be deleted. We can manually modify it
-
I created a file in the root directory of my source code to demonstrate first
-
We obtained through the above audit that the data/file name is our temporary location
Payload
Modify to..// lynn.txt
Submit data
Data has been deleted
Delete with arbitrary files
Let's delete the connection database file
Leverage File Manager
We can't delete it. We'll be prompted
Use our arbitrary deletion
Payload
../common.inc.php | to delete our connection database file
We normally visit the page
Page display blank