Enter the controller.Upload method, you can specify the upload path
There is a loophole in the regex to determine whether the path is legal, and you can use /../ to bypass it
Determine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.
The steps to reproduce.
zdir version: 3.2.0
modify file: /zdir/data/config/config.ini
start
View routes, the interface requires login credentials

Enter the controller.Mkdir method, the parameters submitted by the post request are name and path

Enter the !V_dir method and find that it is only to judge whether the passed path is a folder
This creates a .ssh directory using directory traversal
Enter the controller.Upload method, you can specify the upload path

There is a loophole in the regex to determine whether the path is legal, and you can use
/../to bypass itDetermine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.

Generate an ssh public key for upload

Then you can use ssh to connect to the server
The text was updated successfully, but these errors were encountered: