Hi guys, My name is Rafli pasya. Today i want to share my story about SSRF on adfly, this bug i found 4 days ago and already Fixed.
Two month ago i found IDOR on adfly, and 4 days ago i found SSRF on adfly, using this vulnerability i able to send an email using adfly SMTP. it’s absolutely Dangerous if another hacker using this to attack Adfly Client.
i prepared this tool :
2. Server to upload php file
First of all i tried to short a Gopher:// url but it’s blocked by server. so i make a php file contains Gopherus Payload and it’s actually work.
i opened a CMD and type :
gopherus.py —exploit fastcgi
this is used to exploit fastcgi and gain RCE, unfortunally because i unable to see response body (only able to see <title> tag) this exploit not work.
So i tried to use SMTP exploit :
gopherus.py — exploit smtp
From Mail : adf@ly
To Mail : [myemail@.x.y]
Now i make a php file :
and i upload it to my server.
then i visit adfly site and short myserver.com/poc.php
after 1–5 minutes i check my Inbox and see an email from email@example.com
i quickly Report this bug to their team. it’s fixed 1 day after i reported the bug.
Thx for Reading, soory for bad English btw.
Original WriteUp :
- Sunday 23 June 2019 23:35 GMT+7 = Bug Found & Reported
- Monday 24 June 2019 17:16 GMT+7 = Triaged
- Monday 24 June 2019 22:34 GMT+7 = Bug Fixed