| Description: | | ThinkAdmin is a web-based administrative backend built on the ThinkPHP framework. A design flaw in the routing and parameter-filtering logic of certain releases allows unauthenticated attackers to submit a specially crafted request that traverses outside the intended directory scope. By supplying a URL-encoded array containing only the root path “/” to an internal update API, the application concatenates the value directly into file-operation routines without further validation. This behavior can be abused to enumerate or download arbitrary files from the server filesystem, including configuration files, source code, database credentials, TLS private keys, and user-uploaded content. Successful exploitation exposes the entire application surface and runtime environment, enabling follow-on activities such as source-code review, credential harvesting, lateral movement, and ultimately remote code execution. The resulting impact ranges from full data exfiltration and service disruption to complete compromise of the underlying host. |