漏洞描述
系统/getCorsFile接口存在服务器端请求伪造(SSRF)漏洞,该接口接收urlPath参数但未对请求的目标地址进行有效过滤和限制。攻击者可构造包含内网地址或特殊协议的urlPath参数发送至该接口,触发SSRF漏洞,可导致服务器发起指定的网络请求(如DNS查询、内网探测),若服务器配置不当,还可能读取内网资源、执行端口扫描等,造成敏感信息泄露、内网渗透等严重风险。
kkFileView /getCorsFile 服务器端请求伪造漏洞
PoC代码
暂无相关漏洞推荐
- POC CVE-2021-43734: kkFileview v4.0.0 - Local File Inclusion
- POC CVE-2022-29349: kkFileView 4.0.0 - Cross-Site Scripting
- POC CVE-2022-35151: kkFileView 4.1.0 - Cross-Site Scripting
- POC CVE-2022-40879: kkFileView 4.1.0 - Cross-Site Scripting
- POC CVE-2022-43140: kkFileView 4.1.0 - Server-Side Request Forgery
- POC CVE-2022-46934: kkFileView 4.1.0 - Cross-Site Scripting
- POC CVE-2021-43734: kkFileView getCorsFile 任意文件读取漏洞
- POC kkfileview-upload-xss: kkFileView Upload - XSS
- POC CVE-2022-42149: kkFileView 4.0 - Server-Side Request Forgery
- POC kkfileview-panel: kkFileView Panel - Detect
- kkFileView /fileUpload 存在任意文件上传漏洞
- kkFileView zipslip 远程代码执行漏洞
- kkFileview v4.1.0 跨站脚本攻击漏洞