SSRF Vulnerability in tpAdmin
Project: https://github.com/yuan1994/tpAdmin
tpadmin is a management background based on the official version of ThinkPHP5.0 and Hui.admin v2.5.
So far, the project has 437 stars and 186 forks on github.
There is an SSRF vulnerability in tpadmin, allowing attackers to scan and attack potential intranet servers, read arbitrary local files, etc.
Note:
If you want to deploy the system:
After downloading the project, use composer to download the required dependencies (it is recommended to modify composer.json first)
Just modify the following part:
"require": {
"php": ">=5.4.0",
"topthink/framework": "5.0.7",
"topthink/think-captcha": "1.0.7",
"qiniu/php-sdk": "7.1.3",
"phpoffice/phpexcel": "1.8.2",
"yuan1994/tp-mailer": "0.2.4"
Then execute composer update or composer install
If you still cannot access the page, refer to thinkphp’s official deployment manual:
https://www.kancloud.cn/manual/thinkphp5/129745
https://www.kancloud.cn/manual/thinkphp5/177576
Visit and log in to the background, for example: http://192.168.159.134/admin/pub/login.html
Username:admin
Password:123456
Vulnerable file: application\admin\controller\Upload.php

Through the remote image acquisition function, a request can be made without any filtering.



For example, the server reads the local file through the file protocol and returns a url, which can be accessed and downloaded to read the database configuration file.
