| 标题 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Command Execution Vulnerability |
|---|
| 描述 | The MineAdmin backend management system is developed based on the Hyperf framework. It is a backend permission management system that provides a comprehensive permission system, allowing developers to focus on specific businesses, reduce development costs, and improve project efficiency.
The combination of the logic vulnerability and command execution vulnerability is described as follows:
Logic Flaw: There is a logic flaw in system/refresh. The "refresh" method is used to refresh Tokens. An attacker can unauthorizedly construct a JWT signed as a super administrator to directly bypass the system and obtain a legal new Token with administrator privileges.
Command Execution: There is a command execution vulnerability in setting/crontab/save (scheduled tasks). The system allows administrators (or attackers who have gained administrator privileges through the aforementioned logic flaw) to create scheduled tasks. Attackers can write and execute arbitrary PHP code to completely control the server.
This system uses frontend-backend separation.
Default Frontend Port: 8180
Default Backend API Port: 9501
This vulnerability reproduction uses the backend port. The actual environment may vary, please judge accordingly. |
|---|
| 来源 | ⚠️ https://github.com/SourByte05/MineAdmin-Vulnerability/issues/1 |
|---|
| 用户 | sourbyte (UID 94279) |
|---|
| 提交 | 2026-01-08 10時02分 (5 月前) |
|---|
| 管理 | 2026-01-19 15時00分 (11 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 336235 [MineAdmin 3.x Scheduled Task 权限提升] |
|---|
| 积分 | 0 |
|---|