Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary SSRF vulnerability #15

Open
Fw-fW-fw opened this issue Dec 5, 2022 · 0 comments
Open

Arbitrary SSRF vulnerability #15

Fw-fW-fw opened this issue Dec 5, 2022 · 0 comments

Comments

@Fw-fW-fw
Copy link

Fw-fW-fw commented Dec 5, 2022

这是英文的漏洞报告,中文的在(This is the English report, the Chinese report is SSRF漏洞):

Description

AJ-Report is a fully open-source BI platform with a cool large-screen display that can control business dynamics anytime and anywhere, so that every decision is supported by data.

@PostMapping("/testConnection") In the test connection, there is no restriction, and the attack can construct a malicious address to detect the intranet.

Login API:

com.anjiplus.template.gaea.business.modules.datasource.controller#testConnection
image

This interface receives the request and hands it to testConnection() for processing
Go to com.anjiplus.template.gaea.business.modules.datasource.service.impl#testConnection
image

You can see that the case statement is used and http communication is selected.

com.anjiplus.template.gaea.business.modules.datasource.service.impl#testHttp()

org.springframework.web.client#exchange()

org.springframework.web.client#execute()
image
image
image
According to the above call, the url and httpMethod will be obtained from the dto, and executed in doExecute().

org.springframework.web.client#doExecute()
image
You can see that there is no limit to what is passed in, and the request is executed directly.

TEST

image
image
Here is a request for any method, dangerous delete, put.
image
image
image
The port test is carried out here, and it can be found that the returned lengths are different. If it does not exist, it will return failed: Connection refused" string. The characteristics are obvious.

@Fw-fW-fw Fw-fW-fw mentioned this issue Dec 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant