The upload from remote servers features allows me to perform SSRF attack on the private LAN servers.
this features checks the following
I can read web apps from the internal network, fingerprint them and exploit them (using GET only exploits).
This is how I’ve managed to read an phpinfo file from my local LAN:
http://192.168.1.157/info.php/test.html
The file is fetched, saved by the CMS locally (or S3) and then the output can be downloaded by the attacker as you can see in the attached screenshots.
ps: crayons
An attacker can pivot in the private LAN and exploit local network apps.