Ciao sono un ricercatore di sicurezza in un'azienda basata sul prodotto e di recente ho scoperto uno ssrf come segue:
$imgurl = $_REQUEST['file_storefrontbanner']['C'];
$filename= basename($imgurl);
$header_data = @get_headers($imgurl,1);
$size = $header_data['Content-Length'];
$extension = pathinfo($filename, PATHINFO_EXTENSION);
$banner = $company_id."_".time() ."_". $filename;
$images_path = DIR_ROOT.'/images/';
$image = getimg($imgurl);
$imgSize = @getImageSize($imgurl);
if (in_array($extension, array('jpg','JPEG','png','gif')) && $size < 2097152 && $imgSize[0] == 731 && $imgSize[1] == 234) {
file_put_contents($images_path.$banner,$image);
}
function getimg($url) {
$headers[] = 'Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg';
$headers[] = 'Connection: Keep-Alive';
$headers[] = 'Content-type: application/x-www-form-urlencoded;charset=UTF-8';
$user_agent = 'php';
$process = curl_init($url);
curl_setopt($process, CURLOPT_HTTPHEADER, $headers);
curl_setopt($process, CURLOPT_HEADER, 0);
curl_setopt($process, CURLOPT_USERAGENT, $useragent);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
$return = curl_exec($process);
curl_close($process);
return $return;
}
I wrapper che ho provato sono file: // dict: // http: // https: // no gopher: // il server ha ssh smtp e memcached a 127.0.0.1
Come posso creare il mio payload per impostare il valore in memcached con il pacchetto UDP senza gopher?