You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enter the controller.Upload method, you can specify the upload path
There is a loophole in the regex to determine whether the path is legal, and you can use /../ to bypass it
Determine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.
The steps to reproduce.
zdir version: 3.2.0
modify file: /zdir/data/config/config.ini
start
View routes, the interface requires login credentials
Enter the controller.Mkdir method, the parameters submitted by the post request are name and path
Enter the !V_dir method and find that it is only to judge whether the passed path is a folder
This creates a .ssh directory using directory traversal
Enter the controller.Upload method, you can specify the upload path
There is a loophole in the regex to determine whether the path is legal, and you can use
/../
to bypass itDetermine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.
Generate an ssh public key for upload
Then you can use ssh to connect to the server
The text was updated successfully, but these errors were encountered: