SSRF vulnerability in Novel-Plus

1.Vulnerability Point：http://192.168.56.1:8081/crawl/crawlSource_test.html

2.Controllable URL for internal network scanning:

If the target exists, the response is as follows:![image]![image]

If the target does not exist, the response is as follows:![image]

3.At the code level, the testParse function in：src/main/java/com/java2nb/novel/controller/CrawlController.java的testParse函数：

HttpUtil.getByHttpClientWithChrome(url); is the SSRF trigger point, where url corresponds to the content of the first input box on http://192.168.56.1:8081/crawl/crawlSource_test.html.

public RestResult<Object> testParse(String rule,String url,String isRefresh){
    Map<String,Object> resultMap=new HashMap<>();
    String html =null;
    if(url.startsWith("https://")||url.startsWith("http://")){
        String refreshCache="1";
        if(!refreshCache.equals(isRefresh)) {
            html = cacheService.get(CacheKey.BOOK_TEST_PARSE + url);
            if (html == null) {
                isRefresh="1";
            }
        }
        if(refreshCache.equals(isRefresh)){
            html = HttpUtil.getByHttpClientWithChrome(url);
            if (html != null) {
                cacheService.set(CacheKey.BOOK_TEST_PARSE + url, html, 60 * 10);
            }else{
                resultMap.put("msg","html is null");
                return RestResult.ok(resultMap);
            }
        }
    }else{
        resultMap.put("html","url is null");
        return RestResult.ok(resultMap);
    }
    Pattern pattern = Pattern.compile(rule);
    Matcher matcher = pattern.matcher(html);
    boolean isFind = matcher.find();
    resultMap.put("是否匹配",isFind);
    if(isFind){
        resultMap.put("匹配结果",matcher.group(1));
    }
   // resultMap.put("url",url);
    return RestResult.ok(resultMap);
}