Headline
CVE-2023-48204: There is an SSRF vulnerability in publiccms V4.0.202302.e, whice allow attackers to access the website of intranet or detect whether the port is open · Issue #77 · sanluan/PublicCMS
An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component.
1.After logging into the backend system,add an application authorization to obtain an appKey and appSecret
2.Obtain apptoken through the /api/appToken interface with appkey and appsecret
3.The SSRF vulnerability exists in the “parameters” parameter of the /api/method/getHtml interface, which can be used to access the website of intranet,for example,access 127.0.0.1:8080/admin and return the page content.
4.In addition, it can also be used to detect open ports on the intranet system.
When the port is open, the response time is only a few milliseconds, but when the port is not open, the response time is about 2000 milliseconds.This obvious response time difference can be used to determine whether the port is open.
5.The vulnerability entrance is in MethodController.java. It receives an “appToken” and “parameters” parameter, assigns the “parameters” parameters to the list, and then calls method.execute(request, list), the “method” is the method specified by {name}
6.When {name} is "getHtml", enter theexecute(@SuppressWarnings(“unused”) HttpServletRequest request, List<TemplateModel> arguments)method of BaseMethod.java
7.Then enter the execute(List<TemplateModel> arguments) method of GetHtmlMethod.java, take the values from the incoming parameters and assign them to the “url” and "body", and then determine whether the “body” is empty. If not, send a post request to the "url". If it is empty, send a get request to the "url".
8.After sending the request, the returned content is directly returned to the client. During this period, no detection is made on whether the “paramaters” parameter is illegal, and there is no detection of ssrf-related interceptors, so ssrf can be directly performed and obtained through the server request. Any URL address can be used to access some sensitive resources on the intranet or detect the port of the intranet system.