Quiet
  • HOME
  • ARCHIVE
  • CATEGORIES
  • TAGS
  • LINKS
  • ABOUT

Nokali

  • HOME
  • ARCHIVE
  • CATEGORIES
  • TAGS
  • LINKS
  • ABOUT
Quiet主题
  • Vuln

tpAdmin-SSRF

Nokali

2023-04-09 14:23:01

SSRF Vulnerability in tpAdmin

Project: https://github.com/yuan1994/tpAdmin

tpadmin is a management background based on the official version of ThinkPHP5.0 and Hui.admin v2.5.

So far, the project has 437 stars and 186 forks on github.

There is an SSRF vulnerability in tpadmin, allowing attackers to scan and attack potential intranet servers, read arbitrary local files, etc.


Note:
If you want to deploy the system:
After downloading the project, use composer to download the required dependencies (it is recommended to modify composer.json first)
Just modify the following part:

    "require": {
        "php": ">=5.4.0",
        "topthink/framework": "5.0.7",
        "topthink/think-captcha": "1.0.7",
        "qiniu/php-sdk": "7.1.3",
        "phpoffice/phpexcel": "1.8.2",
        "yuan1994/tp-mailer": "0.2.4"

Then execute composer update or composer install
If you still cannot access the page, refer to thinkphp’s official deployment manual:
https://www.kancloud.cn/manual/thinkphp5/129745
https://www.kancloud.cn/manual/thinkphp5/177576


Visit and log in to the background, for example: http://192.168.159.134/admin/pub/login.html

Username:admin

Password:123456

Vulnerable file: application\admin\controller\Upload.php

SSRFcode

Through the remote image acquisition function, a request can be made without any filtering.

SSRF

Vul

BP

For example, the server reads the local file through the file protocol and returns a url, which can be accessed and downloaded to read the database configuration file.

result

上一篇

tpAdmin-RCE

下一篇

简单粗暴的反制:坏数据投送

©2023 By Nokali. 主题:Quiet
Quiet主题