There are two SSRF vulnerabilities in OneBlog v2.3.4, one in adding friendly links and the other in the article porter function, which can be exploited by attackers to initiate probes on intranet services.
To log in to the system using the account password root/123456, click Lab-> Article Porter Module
We can use python to set up a HTTP service as the target server，Judge whether the service is enabled according to the response result of the server accessing the target URL
This vulnerability can realize the function of intranet port detection, access different ports, open echoes will be different
If the port is open, it will take more than a thousand Millisecond
If the port is shut down, it will take more than two thousand Millisecond，You can see that if the service is not enabled, the request takes almost twice as long.
The request record for the HTTP server is as follows:
After logging in, click website Management-> Link module, add a link, and enter the URL of the test at the Logo parameter.Click Save，When saving, a request will be made to the target URL
Then refreshing the link will also request the target URL.
Then check the access record of the HTTP service