Strict domain name filtering leads to SSRF(Server-Side Request Forgery)

## Test environment

OS：windows
ERMEB version：3.1.0+
download time: 2020/1/18

## Code analysis

The vulnerable code is in file ```/crmeb/app/admin/controller/store/CopyTaobao.php``` line 108 ```get_request_contents()``` function.

![test-1](https://images.gitee.com/uploads/images/2020/0120/143900_b7b1e9d9_1763950.png "屏幕截图.png")

in this function,it will call ```checkurl()``` function in line 113.The ```checkurl()``` function in line 275 restricts the use of http (s) to access the address, so other protocols are not used, but in line 280, it only needs the link to contain the words ```1688``` and ```offer```,so it's easy to bypass.

![test-2](https://images.gitee.com/uploads/images/2020/0120/144237_7a9045fa_1763950.png "屏幕截图.png")

line 280 code is like this,and it will return the link.

```php
if (strpos($link, '1688') !== false && strpos($link, 'offer') !== false) return trim($arrLine[0]);
```

Then the ```curl_Get()``` function will be called to access the link address in line 116.

![test-3](https://images.gitee.com/uploads/images/2020/0120/144654_050c5bad_1763950.png "屏幕截图.png")

The ```curl_Get()``` function is in line 705 and the code is like this.

![test-4](https://images.gitee.com/uploads/images/2020/0120/144741_31d27786_1763950.png "屏幕截图.png")

it will filter domain name in line 134,but it should filter in call ```curl_Get()``` function before.And it not,so cause the SSRF.

![test-5](https://images.gitee.com/uploads/images/2020/0120/145012_8a60d53b_1763950.png "屏幕截图.png")

## Vulnerability test

### Create two web server

use the python environment to create two web server like this.

```
python2 -m SimpleHTTPServer 9999
python3 -m http.server
```

### Exploit

Login to the background, and then operate as follows.

![test-6](https://images.gitee.com/uploads/images/2020/0120/145622_faab6489_1763950.png "屏幕截图.png")

Arbitrary input characters, while capturing packets using burstsuite.

![test-7](https://images.gitee.com/uploads/images/2020/0120/145933_cc190011_1763950.png "屏幕截图.png")

Modify the value of the parameter ```link```.

![test-8](https://images.gitee.com/uploads/images/2020/0120/150048_6423c4d6_1763950.png "屏幕截图.png")

### payload

the payload for parameter ```link```.

```
link=http%3A%2F%2F127.0.0.1:8000%2Fdsadaa%2Fsda%3F1688%3Doffer
```

and the python web server will receive the request.

![test-9](https://images.gitee.com/uploads/images/2020/0120/150422_d489d3ee_1763950.png "屏幕截图.png")

you can use this vulnerability scan the server open port with http(s) protocol.Information returned when scanning a closed port,such as ```8122``` port.

![test-10](https://images.gitee.com/uploads/images/2020/0120/150705_0ce05ba4_1763950.png "屏幕截图.png")

Information returned when scanning an open port.

![test-11](https://images.gitee.com/uploads/images/2020/0120/150826_14c1ae25_1763950.png "屏幕截图.png")

also it can receive some request in port 9999

![test-12](https://images.gitee.com/uploads/images/2020/0120/151228_f934c33e_1763950.png "屏幕截图.png")

You can use this vulnerability to attack or scan the open port of the intranet server and collect information of other intranet servers.

## Solution

Domain filtering should be performed first, followed by URL requests.

GVP 众邦科技/CRMEB开源商城系统

Content Risk Flag

Comments (0)

GVP众邦科技/CRMEB开源商城系统

Content Risk Flag