SSRF vulnerability in pictureproxy.php File (chatgpt)

0x01 Affected version

vendor: https://github.com/dirk1983/chatgpt

version: [release]((f9f4bbc))

php version: 7.x

0x02 Vulnerability description

A Server-Side Request Forgery (SSRF) in pictureproxy.php file of [chatgpt](f9f4bbc) allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter. It should be noted that this vulnerability can be triggered without the need for authentication and is therefore more harmful.

The vulnerable code is located in the pictureproxy.php file. Because the function does not perform sufficient checksumming on the url parameter, the taint is introduced from the $_GET['url'] variable into the tainted function file_get_contents , and after the file_get_contents function is executed it sends a request to the URL specified by the url parameter, eventually leading to an SSRF vulnerability.

<?php
if (isset($_GET['url'])) {
    $image = file_get_contents($_GET['url']);
    header("Content-type: image/jpeg");
    echo $image;
} else {
    echo "Invalid request";
}

Because the url parameter is unrestricted, it is also possible to use the server side to send requests, such as probing web services. The corresponding PoC is as follows:

curl -i -s -k http://mm1.ltd/pictureproxy.php?url=http://hbwqkb.dnslog.cn

If open_basedir is not configured to limit the directories that the request can manipulate, it can also result in arbitrary local file reads. The corresponding PoC is as follows:

curl -i -s -k http://127.0.0.1/pictureproxy.php?url=file:///etc/passwd

0x03 Mitigation

1. It is recommended to change the open_basedir parameter in the php.ini configuration file to restrict the directories that can be accessed
2. It is recommended that an authentication function be added to limit the users who can use this feature

0x04 Acknowledgement

z3

Thanks for your kindness reminder.

前两天刚看到这条信息。内心OS：人家就好朋友们分享着用用，这都得提个漏洞，大哥你是真的饿了（手动狗头）