关联漏洞
标题:
request-baskets 代码问题漏洞
(CVE-2023-27163)
描述:request-baskets是rbaskets开源的一个Web服务。 request-baskets v1.2.1版本及之前版本存在安全漏洞,该漏洞源于通过组件/api/baskets/{name}发现包含服务器端请求伪造 (SSRF)漏洞。攻击者利用该漏洞通过特制的API请求访问网络资源和敏感信息。
描述
Proof of Concept exploit for Server Side Request Forgery vulnerability in Requests Basket v1.2.1 and before.
介绍
# CVE-2023-27163 PoC Exploit Code
This Python script is a Proof of Concept (PoC) for **CVE-2023-27163**, a Server-Side Request Forgery (SSRF) vulnerability in Request Basket.
### Code Description
The script automates the exploitation of CVE-2023-27163. It performs the following actions:
1. **Generates a random basket name**: Creates a unique endpoint for interaction.
2. **Creates a basket and retrieves an API token**: Interacts with the Request Basket API to set up a new basket and get the authorization token.
3. **Configures the basket for SSRF**: Modifies the basket's configuration to forward incoming requests to an internal address (`127.0.0.1`) on a specified port.
4. **Attempts to access internal ports**: It iterates through a predefined range of ports (75-81 by default), attempting to access services running on `localhost` of the vulnerable server via the configured basket.
5. **Displays results**: If a service is found and returns a 200 OK status, it prints a message indicating the open port and the beginning of the response content.
This effectively allows an attacker to scan internal ports on the server hosting the vulnerable Request Basket instance.
### Configuration for Usage
To adapt this script for your own use, you may need to modify the following:
1. **`IP_Vuln_Server`**:
* Change the IP address and port `r'10.129.229.26:55555'` to match the target vulnerable Request Basket server.
```python
IP_Vuln_Server = r'YOUR_TARGET_IP:PORT'
```
2. **Port Range for Scanning** (Optional):
* The script currently scans ports 75 through 81 (`range(75,82)`).
* Adjust this range in the `main()` function if you want to scan different or a wider set of internal ports.
```python
for i in range(START_PORT, END_PORT + 1): # e.g., range(1, 65536) for all ports
ConfBasketAndFetchResp(headers, i)
```
3. **`forward_url` in `ConfBasketAndFetchResp`** (Advanced/Specific Use Cases):
* By default, it targets `http://127.0.0.1:{port}/`.
* If you suspect other internal services on different paths or even other internal IP addresses reachable by the vulnerable server, you can modify the `forward_url` string. However, for the intended SSRF to scan `localhost`, `127.0.0.1` is usually correct.
```python
json_config = {
"forward_url": f"http://TARGET_INTERNAL_IP:{port}/TARGET_PATH",
# ... other parameters
}
```
Ensure you have the `requests` library installed (`pip install requests`). Use this PoC responsibly and only on systems you have explicit permission to test.
文件快照
[4.0K] /data/pocs/ed4d901397b09f3365f6b99a65d6dc599e6b5517
├── [1.0K] LICENSE
├── [1.5K] PoC_27163.py
└── [2.5K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。