Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There are SSRF vulnerabilities in background collection management #53

Closed
BLL-l opened this issue Dec 14, 2020 · 1 comment
Closed

There are SSRF vulnerabilities in background collection management #53

BLL-l opened this issue Dec 14, 2020 · 1 comment

Comments

@BLL-l
Copy link

BLL-l commented Dec 14, 2020

Log in the background management and create a new node in the collection management

image
image

Add our url with the attack code

image
image

Then click collect

image

Because two methods are written in the source code
If you have curl extensions, use curl_ Close function. If not, use file_ get_ Contents function

image

And when processing the URL, only the first four characters of the URL are obtained by using the substr function, and whether it is HTTP is judged. If it is, it is checked

image

Here, you can use the features of PHP. When PHP encounters an unknown protocol, it will throw a warning and set the protocol to null. When the Protoco is null or file, the local operation will be carried out. By default, the local file operation will be performed if the protocol is not transferred or the protocol does not exist.

Therefore, we can use a custom protocol, such as httpxxx, which can start from HTTP, but can't be HTTPS.
We can try to read the /etc/passwd file

image

Then click collect

image

The file was read successfully

@yzmcms
Copy link
Owner

yzmcms commented Jan 24, 2021

Thank you. It's fixed

@yzmcms yzmcms closed this as completed Jan 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants