| タイトル | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Command Execution Vulnerability |
|---|
| 説明 | The MineAdmin backend management system is developed based on the Hyperf framework. It is a backend permission management system that provides a comprehensive permission system, allowing developers to focus on specific businesses, reduce development costs, and improve project efficiency.
The combination of the logic vulnerability and command execution vulnerability is described as follows:
Logic Flaw: There is a logic flaw in system/refresh. The "refresh" method is used to refresh Tokens. An attacker can unauthorizedly construct a JWT signed as a super administrator to directly bypass the system and obtain a legal new Token with administrator privileges.
Command Execution: There is a command execution vulnerability in setting/crontab/save (scheduled tasks). The system allows administrators (or attackers who have gained administrator privileges through the aforementioned logic flaw) to create scheduled tasks. Attackers can write and execute arbitrary PHP code to completely control the server.
This system uses frontend-backend separation.
Default Frontend Port: 8180
Default Backend API Port: 9501
This vulnerability reproduction uses the backend port. The actual environment may vary, please judge accordingly. |
|---|
| ソース | ⚠️ https://github.com/SourByte05/MineAdmin-Vulnerability/issues/1 |
|---|
| ユーザー | sourbyte (UID 94279) |
|---|
| 送信 | 2026年01月08日 10:02 (5 月 ago) |
|---|
| モデレーション | 2026年01月19日 15:00 (11 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 336235 [MineAdmin 3.x Scheduled Task 特権昇格] |
|---|
| ポイント | 0 |
|---|