524 Star 4.2K Fork 1.8K

yadong.zhang / OneBlog

 / 详情

OneBlog v2.3.4 background SSRF vulnerability

Backlog
Opened this issue  
2022-06-15 00:35

vulnerability Abstract

There are two SSRF vulnerabilities in OneBlog v2.3.4, one in adding friendly links and the other in the article porter function, which can be exploited by attackers to initiate probes on intranet services.

Scope of influence

OneBlog v2.3.4

vulnerability Reappearance

The first SSRF vulnerability:

To log in to the system using the account password root/123456, click Lab-> Article Porter Module
输入图片说明
Vulnerability parameter:entryUrls

We can use python to set up a HTTP service as the target server,Judge whether the service is enabled according to the response result of the server accessing the target URL

This vulnerability can realize the function of intranet port detection, access different ports, open echoes will be different

If the port is open, it will take more than a thousand Millisecond

输入图片说明
If the port is shut down, it will take more than two thousand Millisecond,You can see that if the service is not enabled, the request takes almost twice as long.
输入图片说明
The request record for the HTTP server is as follows:
输入图片说明

The second SSRF vulnerability

After logging in, click website Management-> Link module, add a link, and enter the URL of the test at the Logo parameter.Click Save,When saving, a request will be made to the target URL
输入图片说明
Then refreshing the link will also request the target URL.

Then check the access record of the HTTP service
输入图片说明

Comments (0)

qumh created任务
qumh changed description
qumh changed description
qumh changed description
Expand operation logs

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(1)
Java
1
https://gitee.com/yadong.zhang/DBlog.git
git@gitee.com:yadong.zhang/DBlog.git
yadong.zhang
DBlog
OneBlog

Search