This is a DEVCORE Intern project. https://hackmd.io/@entroy/BJizrC8wh
python3 exploit.py -u url --headers headers
- If you don't have
requests, remember topip3 install requestsfirst. urlis the target including the note id.http://target_ip_or_domain/note_id
headersis not required. If the target is private, protected or limited, you have to give a cookie to view the content. Mostly the cookie key isconnect.sid.- If you find out that the target cannot use PUT method to edit the note, try the steps in payload file.
- Just a note that PUT method can only edit a note that there is no users using.
- You can build a vulnerable version of codimd using the docker compose file.
python3 exploit.py -u 'http://ip/note_id' --headers 'Cookie: connect.sid=connect.sid;'
- Use
Rcommand to recover file content. Just a note that the code will only read filename infilesfolder. - Demo: https://www.youtube.com/watch?v=G4P6UF2vTJo&ab_channel=EntroyC