Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A SSRF in yzmcms v5.5 management #44

Closed
mntn0x opened this issue Mar 27, 2020 · 1 comment
Closed

A SSRF in yzmcms v5.5 management #44

mntn0x opened this issue Mar 27, 2020 · 1 comment

Comments

@mntn0x
Copy link

mntn0x commented Mar 27, 2020

后台编辑文章处,最下方选项将远程文件保存到本地,漏洞代码在yzmphp/core/function/global.func.php#grab_image()

当修改文章或者添加文章时选择了将远程文件加载到本地,则会进入grab_image函数,正则匹配文章内容中的img标签,提取出链接保存在$val=$value,然后通过strpos判断链接中是否有http,如果没有则直接返回(说明这不是外网图片链接)。
接着从右往左读取第一个点号作为分割,得到后缀名,然后白名单校验后缀,此处的后缀名可以通过1.php?2.jpg来绕过。接着出现漏洞点

ob_start();
readfile($value);
$data = ob_get_contents();
ob_end_clean();
file_put_contents($filename, $data);

readfile读取文件内容,然后保存到jpg文件。如果readfile读取文件有warning或者error,就会跳转到错误处理函数。
payload:

<img src="http://127.0.0.1:80/2.jpg" width="100" height="100"/>

可通过此处探测内网端口及ip。
同时,此处也是一个文件读取漏洞,只是读取php文件有可能会报错,尝试读取config.php,因为YZMPHP_PATH变量没有声明而报错。


Edit the background, the bottom option将远程文件保存到本地, Vulnerable code:

When modifying an article or adding an article, you chose to load a remote file locally,It will enter the functiongrab_image() , which matches the img tag in the article content, extracts the link and saves it in $ val = $ value, and then uses strpos to determine whether there is http in the link. If not, it returns directly (indicating that this is not an external network image link).
Then read the first dot from right to left as the segmentation to get the suffix name, and then check the suffix on the white list. The suffix name here can be bypassed by 1.php? 2.jpg. Then there are vulnerabilities

ob_start();
readfile($value);
$data = ob_get_contents();
ob_end_clean();
file_put_contents($filename, $data);

readfile reads the file content and saves it to a jpg file. If readfile reads a file with warning or error, it will jump to the error handling function.
payload:

<img src="http://127.0.0.1:80/2.jpg" width="100" height="100"/>

You can probe the intranet port and ip here.
At the same time, here is also a file reading vulnerability, but reading php files may report an error. Try reading config.php because the YZMPHP_PATH variable is not declared and an error is reported.

@yzmcms
Copy link
Owner

yzmcms commented Mar 28, 2020

已收到反馈,下一个版本修复

@mntn0x mntn0x closed this as completed Mar 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants