Server-Side Request Forgery (SSRF) in kalcaddle/KodExplorer

Reported on May 17th 2021


SSRF to get cloud server metadata and possible to hack the server


lower level user can hack kodexplorer server server if hosted in AWS,alibaba or google cloud .


Aws,Azure,alibaba,digital-ocean or google cloud provide special api url to fetch the server metadata .

http://instance-data[ROLE NAME][ROLE NAME][ID]/openssh-key\

Google Cloud:


Using the above above api user can get server metadata like AWS secret key,api,ssh key etc .
If a server hosted in aws,alibaba,digital ocean or google cloud then using those api user can get server Secret key and get remote-code-execution.
So, those url must be verified and blocked . In in kodexplorer there is bellow endpoint to upload remote file . So, attacker can fetch the AWS secret key using this endpoint .

GET /kodexplorer/index.php?explorer/serverDownload&type=download&savePath=/desktop/&url= HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SOV37) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/kodexplorer/index.php?desktop
Connection: close
Cookie: .........

here the vulnerable parameter is url parameter


Lets assume kodexplorer is hosted in amazon AWS ip .
so, the metadata url will be
http://instance-data[ROLE NAME][ROLE NAME]

  1. From admin account invite user B as demo user.
  2. Now user B sent above request and change url parameter value in above postdata to above metadata api url .
  3. Now server will fetch that AWS url and get all AWS secret key,openssh-key,public-key etc .And the response will be saved in a file in Desktop(see above request that savePath parameter is set to /desktop/).
  4. Now user B can download the response file from Desktop and get all AWS secret key ,ssh key etc . Now user B can ssh login into this server using above ssh key .

Also user B can access internal network using url like in the above url parameter



before fetching url must be verified against above metadata url .
You should implement request blocking if url match above metadata api url .