代码拉取完成,页面将自动刷新
OS:windows
ERMEB version:3.1.0+
download time: 2020/1/18
The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php line 108 get_request_contents() function.
in this function,it will call checkurl() function in line 113.The checkurl() function in line 275 restricts the use of http (s) to access the address, so other protocols are not used, but in line 280, it only needs the link to contain the words 1688 and offer,so it's easy to bypass.
line 280 code is like this,and it will return the link.
if (strpos($link, '1688') !== false && strpos($link, 'offer') !== false) return trim($arrLine[0]);
Then the curl_Get() function will be called to access the link address in line 116.
The curl_Get() function is in line 705 and the code is like this.
it will filter domain name in line 134,but it should filter in call curl_Get() function before.And it not,so cause the SSRF.
use the python environment to create two web server like this.
python2 -m SimpleHTTPServer 9999
python3 -m http.server
Login to the background, and then operate as follows.
Arbitrary input characters, while capturing packets using burstsuite.
Modify the value of the parameter link.
the payload for parameter link.
link=http%3A%2F%2F127.0.0.1:8000%2Fdsadaa%2Fsda%3F1688%3Doffer
and the python web server will receive the request.
you can use this vulnerability scan the server open port with http(s) protocol.Information returned when scanning a closed port,such as 8122 port.
Information returned when scanning an open port.
also it can receive some request in port 9999
You can use this vulnerability to attack or scan the open port of the intranet server and collect information of other intranet servers.
Domain filtering should be performed first, followed by URL requests.