ha1c9on created HTTPCLIENT-2129:
-----------------------------------
Summary: Jakarta Commons-HttpClient/3.1 can bypass Regular and
cause ssrf
Key: HTTPCLIENT-2129
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2129
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient (classic)
Affects Versions: 5.0, 3.1 (end of life)
Environment: all system jdk1.8
Reporter: ha1c9on
Attachments: screenshot.zip
code :
public byte[] getImage(String url) throws RuntimeException \{
if
(!Pattern.matches("^(http|https):\\/\\/[^?#\\/]*\\.google\\.com\\/.*", url)) {
return "illegal url!
^(http|https):\\\\/\\\\/[^?#\\\\/]*\\\\.google\\\\.com\\\\/.*".getBytes();
} else \{
ByteArrayOutputStream out = new ByteArrayOutputStream();
try {
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(url);
method.addRequestHeader("client", "httpclient3");
client.executeMethod(method);
InputStream in = method.getResponseBodyAsStream();
int i = false;
byte[] bt = new byte[1024];
int i;
while((i = in.read(bt)) != -1) {
out.write(bt, 0, i);
out.flush();
}
in.close();
} catch (Exception var9) \{
Exception e = var9;
try {
out.write(e.getMessage().getBytes());
out.flush();
} catch (IOException var8) \{
var8.printStackTrace();
}
}
return out.toByteArray();
}
}
you can see the Regular filtering does not allow access to other web pages.such
as localhost
but use double @ can bypass the Regular and Cause ssrf
payload is :[http://ip/?url=http://@@127.0.0.1:[email protected]/]
Using this vulnerability, you can access your own server and cause a 302 jump
to cause local access, thereby bypassing IP restrictions
[[reply|https://bz.apache.org/bugzilla/show_bug.cgi?id=64933#add_comment]]
[[−]|https://bz.apache.org/bugzilla/show_bug.cgi?id=64933#]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
