Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Information Provided
-
3.1 (end of life), 5.0
-
None
-
None
-
all system jdk1.8
-
Important
Description
code :
public byte[] getImage(String url) throws RuntimeException {
if (!Pattern.matches("^(http|https):\\/\\/[^?#\\/]\\.google\\.com
/.", url))
else {
ByteArrayOutputStream out = new ByteArrayOutputStream();
try {
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(url);
method.addRequestHeader("client", "httpclient3");
client.executeMethod(method);
InputStream in = method.getResponseBodyAsStream();
int i = false;
byte[] bt = new byte[1024];
int i;
while((i = in.read(bt)) != -1)
in.close();
} catch (Exception var9) {
Exception e = var9;
try
{ out.write(e.getMessage().getBytes()); out.flush(); } catch (IOException var8) {
var8.printStackTrace();
}
}
return out.toByteArray();
}
}
you can see the Regular filtering does not allow access to other web pages.such as localhost
but use double @ can bypass the Regular and Cause ssrf
payload is :http://ip/?url=http://@@127.0.0.1:22@w.google.com/
Using this vulnerability, you can access your own server and cause a 302 jump to cause local access, thereby bypassing IP restrictions
[reply [−]