SSRF Vulnerability in LyLme_spage v1.9.5

[Hebing123]

Summary

An SSRF (Server-Side Request Forgery) vulnerability was identified in the LyLme_spage version 1.9.5. This vulnerability allows internal network requests to be initiated and sensitive information to be retrieved by accessing a specific URL.

Details

The vulnerability resides in the get_head function which is used to fetch and process web page titles, icons, descriptions, and keywords. However, through manipulation of the URL parameter accessed through http://192.168.0.10:1006/apply/index.php?url=[malicious_URL], an attacker can force the application to make arbitrary requests to internal services.

lylme_spage/include/function.php

Lines 211 to 265 in b7c430a

	function get_head($url, $cache = false)
	{
	if ($cache && is_numeric($url)) {
	global $DB;
	$site_head = $DB->get_row("SELECT * FROM `lylme_links` WHERE `id` = $url AND `link_pwd` = 0 ");
	$url = $site_head['url'];
	$cache_path = ROOT . "cache/";
	$cache_file = $cache_path . md5($url) . ".txt";
	if (file_exists($cache_file)) {
	// 获取缓存文件的修改时间
	$file_mtime = filemtime($cache_file);
	// 如果缓存文件未过期，则直接读取并返回数据
	if ((time() - $file_mtime) < 7 * 24 * 60 * 60) {
	return json_decode(file_get_contents($cache_file), true);
	}
	}
	}
	$data = get_curl($url);
	//获取网站title
	preg_match('/<title.*?>(?<title>.*?)<\/title>/sim', $data, $title);
	$encode = mb_detect_encoding($title['title'], array('GB2312', 'GBK', 'UTF-8', 'CP936'));
	//得到字符串编码
	$file_charset = iconv_get_encoding()['internal_encoding'];
	//当前文件编码
	if ($encode != 'CP936' && $encode != $file_charset) {
	$title = iconv($encode, $file_charset, $title['title']);
	$data = iconv($encode, $file_charset, $data);
	} else {
	$title = $title['title'];
	}
	// 获取网站icon
	preg_match('/<link rel=".*?icon" * href="(.*?)".*?>/is', $data, $icon);
	preg_match('/<meta +name *=["\']?description["\']? *content=["\']?([^<>"]+)["\']?/i', $data, $description);
	preg_match('/<meta +name *=["\']?keywords["\']? *content=["\']?([^<>"]+)["\']?/i', $data, $keywords);
	$icon = $icon[1];
	if (!empty($icon)) {
	$icon = get_urlpath($icon, $url);
	} else {
	$parse = parse_url($url);
	$port = $parse['port'] == 80 || $parse['port'] == "" ? '' : ":" . $parse['port'];
	$iconurl = $parse['scheme'] . '://' . $parse['host'] . $port . '/favicon.ico';
	if (get_curl($iconurl) != 404) {
	$icon = $iconurl;
	}
	}
	$get_heads = array("title" => $title, "charset" => $encode, "icon" => $icon, "description" => $description[1], "keywords" => $keywords[1], "url" => $url);
	if ($cache && is_numeric($url)) {
	if (!file_exists($cache_path)) {
	mkdir($cache_path);
	}
	file_put_contents($cache_file, json_encode($get_heads));
	}
	return $get_heads;
	}

This is made possible due to insufficient validation of the user-supplied URL, allowing for the specification of arbitrary URLs that the server will then request data from. Consequently, this behavior can be exploited to interact with and extract information from services that are only accessible from the server's internal network.

Impact

An attacker can exploit this vulnerability to conduct SSRF attacks, leading to unauthorized access to internal network services. This might result in the disclosure of sensitive information, interaction with internal APIs, or further exploitation depending on the nature of the accessible services. The impact is considerably high since it directly affects the confidentiality and integrity of the system.

Proof of Concept (PoC)

http(s)://ip:port/apply/index.php?url=malicious_URL