Arbitrary SSRF vulnerability

[unam4]

这是英文的漏洞报告，中文的在(This is the English report, the Chinese report is SSRF漏洞):

Description

AJ-Report is a fully open-source BI platform with a cool large-screen display that can control business dynamics anytime and anywhere, so that every decision is supported by data.

@PostMapping("/testConnection") In the test connection, there is no restriction, and the attack can construct a malicious address to detect the intranet.

Login API:

com.anjiplus.template.gaea.business.modules.datasource.controller#testConnection

This interface receives the request and hands it to testConnection() for processing Go to com.anjiplus.template.gaea.business.modules.datasource.service.impl#testConnection

You can see that the case statement is used and http communication is selected.

com.anjiplus.template.gaea.business.modules.datasource.service.impl#testHttp()

org.springframework.web.client#exchange()

org.springframework.web.client#execute() According to the above call, the url and httpMethod will be obtained from the dto, and executed in doExecute().

org.springframework.web.client#doExecute() You can see that there is no limit to what is passed in, and the request is executed directly.

TEST

Here is a request for any method, dangerous delete, put. The port test is carried out here, and it can be found that the returned lengths are different. If it does not exist, it will return failed: Connection refused" string. The characteristics are obvious.