1.1K Star 7.1K Fork 2.3K

GVP众邦科技 / CRMEB打通版

 / 详情

Strict domain name filtering leads to SSRF(Server-Side Request Forgery)

Doing
Task
Opened this issue  
2020-01-20 15:13

Test environment

OS:windows
ERMEB version:3.1.0+
download time: 2020/1/18

Code analysis

The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php line 108 get_request_contents() function.

test-1

in this function,it will call checkurl() function in line 113.The checkurl() function in line 275 restricts the use of http (s) to access the address, so other protocols are not used, but in line 280, it only needs the link to contain the words 1688 and offer,so it's easy to bypass.

test-2

line 280 code is like this,and it will return the link.

if (strpos($link, '1688') !== false && strpos($link, 'offer') !== false) return trim($arrLine[0]);

Then the curl_Get() function will be called to access the link address in line 116.

test-3

The curl_Get() function is in line 705 and the code is like this.

test-4

it will filter domain name in line 134,but it should filter in call curl_Get() function before.And it not,so cause the SSRF.

test-5

Vulnerability test

Create two web server

use the python environment to create two web server like this.

python2 -m SimpleHTTPServer 9999
python3 -m http.server

Exploit

Login to the background, and then operate as follows.

test-6

Arbitrary input characters, while capturing packets using burstsuite.

test-7

Modify the value of the parameter link.

test-8

payload

the payload for parameter link.

link=http%3A%2F%2F127.0.0.1:8000%2Fdsadaa%2Fsda%3F1688%3Doffer

and the python web server will receive the request.

test-9

you can use this vulnerability scan the server open port with http(s) protocol.Information returned when scanning a closed port,such as 8122 port.

test-10

Information returned when scanning an open port.

test-11

also it can receive some request in port 9999

test-12

You can use this vulnerability to attack or scan the open port of the intranet server and collect information of other intranet servers.

Solution

Domain filtering should be performed first, followed by URL requests.

Attachments

Comments (0)

c0d1M4x created任务
等风来,随风去 changed issue state from 待办的 to 进行中
Expand operation logs

Sign in to comment

Status
Assignees
Projects
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
Duration (hours)
Confirm
参与者(1)
PHP
1
https://gitee.com/ZhongBangKeJi/CRMEB.git
git@gitee.com:ZhongBangKeJi/CRMEB.git
ZhongBangKeJi
CRMEB
CRMEB打通版

Search

105716 1d94204e 1850385 105716 2d26be5c 1850385