download time: 2020/1/18
The vulnerable code is in file
/crmeb/app/admin/controller/store/CopyTaobao.php line 108
in this function,it will call
checkurl() function in line 113.The
checkurl() function in line 275 restricts the use of http (s) to access the address, so other protocols are not used, but in line 280, it only needs the link to contain the words
offer,so it's easy to bypass.
line 280 code is like this,and it will return the link.
if (strpos($link, '1688') !== false && strpos($link, 'offer') !== false) return trim($arrLine);
curl_Get() function will be called to access the link address in line 116.
curl_Get() function is in line 705 and the code is like this.
it will filter domain name in line 134,but it should filter in call
curl_Get() function before.And it not,so cause the SSRF.
use the python environment to create two web server like this.
python2 -m SimpleHTTPServer 9999 python3 -m http.server
Login to the background, and then operate as follows.
Arbitrary input characters, while capturing packets using burstsuite.
Modify the value of the parameter
the payload for parameter
and the python web server will receive the request.
you can use this vulnerability scan the server open port with http(s) protocol.Information returned when scanning a closed port,such as
Information returned when scanning an open port.
also it can receive some request in port 9999
You can use this vulnerability to attack or scan the open port of the intranet server and collect information of other intranet servers.
Domain filtering should be performed first, followed by URL requests.