Arbitrary File Download and deletion vulnerability in tianrong top two (No Logon required)
Arbitrary File Download and deletion vulnerability in tianrong top two (No Logon required)
First, download and delete any file:
File/task/saveTaskIpList. php
$ FileName = $ _ GET ['filename']; if (! $ FileName) {header ("Content-type: text/html; charset = UTF-8"); echo "<script language = 'javascript '> ";
Echo "alert ('saving process error! ')";
Echo "</script>"; exit () ;}$ handler = fopen ("$ fileName", 'R'); if (! $ Handler) {header ("Content-type: text/html; charset = 'utf-8'"); echo "<script language = 'javascript '> ";
Echo "alert ('file opening failed because an error occurred while saving! ')";
Echo "</script>"; exit () ;}$ length = filesize ($ fileName); if ($ length === false) {header ("Content-type: text/html; charset = 'utf-8' "); echo" <script language = 'javascript '> ";
Echo "alert ('an error occurred while saving. An error occurred while reading the file length! ')";
Echo "</script>"; exit () ;}$ outputFile = 'devices'; header ("Cache-Control:"); header ("Cache-Control: public "); header (" Content-Type: application/force-download "); header (" Content-Disposition: attachment; filename = \ "$ outputFile \""); header ("Accept-Ranges: bytes"); $ size = filesize ($ fileName); $ fp = fopen ("$ fileName", "rb"); fseek ($ fp, $ range); while (! Feof ($ fp) {print (fread ($ fp, 1024*8);} fclose ($ fp); unlink ($ fileName);?> $ FileName = $ _ GET ['filename']; Access fopen directly. fread causes any file to be read and $ fileName also enters the unlink function. As a result, any file is deleted and any file is downloaded in the second place: file/task/downloadFile. php
Include_once 'policy/CTaskManager. php '; session_start (); $ fileName = $ _ GET ['filename']; $ fileTar = "report /". $ fileName; header ("Content-Description: File Transfer"); header ("Content-Type: application/octet-stream"); header ("Content-Disposition: attachment; filename = ". basename ($ fileTar); header ("Content-Transfer-Encoding: binary"); header ("Expires: 0"); header ("Cache-Control: must-revalidate, post-check = 0, pre-check = 0 "); header (" Pragma: public "); header (" Content-Length :". filesize ($ fileTar); ob_clean (); flush (); readfile ($ fileTar); exit ();?> Obviously $ fileName enters the readfile function, causing Arbitrary File Reading
Solution:
Logon Verification