关联漏洞
描述
PoC and Disclosure for CVE-2023-7231 – Memcached Gopher RCE chain
介绍
# CVE-2023-7231 – Critical SSRF → Memcached/Docker RCE Chain via Audible `fetchResource`
## 🔥 Summary
This vulnerability enables **Server-Side Request Forgery (SSRF)** in Audible’s `fetchResource` API on `*.audible.com`, allowing unauthenticated attackers to pivot into internal infrastructure.
Through SSRF payload chaining, we achieved:
- 🛡 **AWS EC2 Metadata Access**
- 🐳 **Docker Socket Probing on 127.0.0.1:2375**
- 🔐 **Credential & PII Exfiltration via `/env`, `/proc/self/environ`**
- ✅ Consistent `200 OK` responses from internal-only endpoints
---
## 📉 Attack Chain
```text
SSRF → AWS Metadata → IAM Role Abuse → S3/Lambda Access
SSRF → Docker API → Root Container Access
SSRF → Env Vars → Credential Dump → DB Pivot
文件快照
[4.0K] /data/pocs/a6b854f9f1979db85e5925b3ba80586b706a1f10
├── [3.3K] audible_vulnerability_report_20250517_080825.md
├── [ 782] AWS Metadata Chain Implementation_SVOMAP.py
├── [ 26K] chain_test_results_20250517_091308.json
├── [ 907] Compliance-First ArchitectureWICVDPPATFL.py
├── [ 973] Docker Impact Validation_SCFDAPIE.py
├── [ 794] Environment Variable Probing_SCFCDE.py
├── [ 812] Execution_Workflow_OST&R.py
├── [ 778] README.md
├── [4.0K] SSRF_AUDIBLE
│ ├── [1.1M] Audible_ssrf_200ok_with_data.zip
│ └── [4.0K] README.txt
│ ├── [ 148] curl httpswww.audible.comapifetchRe.txt
│ ├── [ 302] HOW TO RUN.txt
│ └── [ 675] README.md
├── [1.0K] Theoretical Impact DocumentationWCAE-BIMS.py
└── [ 16M] video_captured.zip
2 directories, 14 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。