53 lines
No EOL
1.5 KiB
Text
53 lines
No EOL
1.5 KiB
Text
# Exploit Title: CKEditor 3 - Server-Side Request Forgery (SSRF)
|
||
# Google Dorks : inurl /editor/filemanager/connectors/uploadtest.html
|
||
# Date: 12-6-2021
|
||
# Exploit Author: Blackangel
|
||
# Software Link: https://ckeditor.com/
|
||
# Version:all version under 4 (1,2,3)
|
||
# Tested on: windows 7
|
||
|
||
Steps of Exploit:-
|
||
|
||
1-using google dorks
|
||
|
||
inurl /editor/filemanager/connectors/uploadtest.html
|
||
|
||
2-after going to vulnerable page you will find filed “Custom Uploader URL: ”
|
||
|
||
3-right click then choose inspect element, click on pick an element from
|
||
the page , select field Custom Uploader URL:
|
||
|
||
4-in elements “<input id=”txtCustomUrl” style=”WIDTH: 100%;
|
||
BACKGROUND-COLOR: #dcdcdc” disabled=”” type=”text”>”
|
||
|
||
delete disabled=””
|
||
|
||
5-now you can put url start with any protocal
|
||
|
||
6-send it to the server as you see website that you have entered link
|
||
|
||
is appear into page .
|
||
|
||
what this mean??!!1
|
||
|
||
you send request to server using vulnerable website
|
||
|
||
you can said i used it as proxy
|
||
|
||
hackers >>> vulnerable website >>> http:/xx.com
|
||
|
||
so in http://xx.com logs requests come from vulnerable website
|
||
|
||
impact:-
|
||
|
||
1-that allows an attacker to induce the server-side application to make
|
||
HTTP requests to an arbitrary domain of the attacker’s choosing. if there
|
||
is big company use old version hackers can send request via there websites
|
||
and this not good for reputation of company
|
||
|
||
2-put big company website in blacklist of websites cause i hackers can send
|
||
many of request via vulnerable website
|
||
|
||
Mitigation:-
|
||
|
||
Remove the uploadtest.html file as it is not used by the application. |