preface
This paper mainly records a SSRF vulnerability we encountered when reviewing the report of penetration of Shouting website. This vulnerability, combined with Tencent cloud API interface, can obtain a large number of sensitive information of the roar server. These sensitive information can be used for further infiltration.
This article will be published on hishoo website, and the penetration test is officially authorized by Hishoo, so you can eat it safely. Thanks to the bug submitter. The vulnerabilities mentioned in this article have been fixed in 2019, so please do not try again. In addition, warm reminder: unauthorized penetration is illegal.
Vulnerability is introduced
Server Side Request Forgery (SSRF) is a security vulnerability that allows an attacker to initiate a Request on the Server. Generally, the SSRF attacks the resources that cannot be accessed from the Internet but can only be accessed from the Intranet. The reason for the SSRF can be summarized as follows: the server provides the capability to fetch data from other servers, but does not impose any restrictions on the target server. The above concept sounds a bit difficult, but let’s take an example to make the problem clearer: the server deployed in Tencent Cloud can access an API interface provided by Tencent to obtain the Intranet address of the server. Our own computer is not in the Intranet of Tencent cloud, so naturally we cannot access this address. There is a SSRF vulnerability in the old version of Sihu server. We can construct a special HTTP request package to make the old version of Sihu server access the API interface of Tencent Cloud to obtain the Intranet address and return the address to us. This allows the Intranet address to be compromised, but of course there is much more that can be compromised with this vulnerability. But as a group of patriotic youth, we can’t do anything illegal. So, that’s the end of the example.
An open source editor project, Laravel-u-Editor (UEditor), is referenced in the older roar site. The editor is a rich text Web editor developed by baidu Web front-end research and development department.
By reading the UEditor source code, we can see in lumenController.php that the $sources parameter is completely self-controlled. The code is as follows:
$sources = $sources; uploadcatch.php = $sources = $sources;
Therefore, you can pass “? JPG “bypasses this judgment and results in reading content in any format.
The exploit
As in the example we gave in chapter 1, let’s try it out by getting the Intranet address of the Roar server. The specific steps are as follows:
A. First of all, we need to check the API content provided by Tencent Cloud. Here’s the link:
Cloud.tencent.com/document/pr…
The screenshot is as follows:
In the figure, we can find the Tencent cloud API interface for obtaining the Intranet address, which is the part in the red box in the figure.
B. Then, we need to construct a request to exploit the SSRF vulnerability to give the roar access to the “picture”. link
As follows: www.4hou.com/laravel-u-e…
After the construction is complete, send the request, as shown in the screenshot below:
After the request is sent, the IPv4 address of the Intranet is written to the JPG file and the path of the JPG file is returned to the browser.
C. Finally, access the JPG file link returned to us, as shown in the screenshot below:
In the picture above, we have successfully obtained an Intranet address of the original Version. It’s important to note that the address has been updated, so don’t keep trying to mess things up.
At this point, we have successfully exploited the SSRF vulnerability to get some of the information we are interested in. Of course, there are many other ways to exploit this SSRF vulnerability, but due to local laws and regulations, this vulnerability can only be shown in 404 mode.
By the time we sorted this article, it didn’t look like the UEditor had fixed the bug. We are only offering some temporary solutions here. A simple and effective temporary fix is to whitelist URLS and enforce stricter file type filtering. I’m sure everyone here will understand the implications of this temporary solution, so I won’t go into details here.
Conclusion The final round here is the end, I believe that read here you should have some harvest. In the following articles, we will also take out other cases and other loopholes to share with you, hoping that readers can gain something.
[Free Network Security Learning Materials]