SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-3

Lets get in to Live Examples

The author of this BLOG is no way responsible for any misuse of the information.

4. Live Examples -

Lets look in to basic SSRF

Here the page parameter fetch external resource and display its content


Read Local files -

When you try other URL schemas like DICT gives an error

 Warning: file_get_contents(): Unable to find the wrapper “dict” — did you forget to enable it when you configured PHP

This indicates DICT URL schemas is not enabled

In the same way you can try other URL schemas and find which all are enabled and use them to exploit it further


Read local files

Working vulnerable site -

Repo Link -

SSRF in Widely used Plugins and CMS -

SSRF in Jira -

Jira version < 7.3.5 are suffering from SSRF


There are more than 40k jira sites on shodan. You can find them using below dorks

X-AUSERNAME: anonymous
X-AUSERNAME: anonymous org:"" -- For aws
X-AUSERNAME: anonymous org:"Microsoft Azure" -- For Azure
X-AUSERNAME: anonymous org:"google" -- For Google

Now lets see some vulnerable Sites -- Aws Details -- Aws Details -- Aws Details -- Aws Details -- Aws Details -- Aws Details -- Aws Details -- Aws Details

These are some vulnerable sites I found

SSRF in JSmol2WP Wordpress Plugin -

JSmol2WP version below 1.07 has an Unauthenticated Server Side Request Forgery


Dork -


Vulnerable sites - -- DB details -- Fetch -- DB details

SSRF in Qards Wordpress Plugin -

Qards is vulnerable to Server Side Request Forgery (SSRF)


Dork -


Vulnerable sites -

SSRF in HTML to PDF conversion -

Vulnerable sites -

Content of Ssrf.html

"><iframe src="file:///etc/passwd"></iframe>
"><svg/onload=document.write(document.location)> -- to know the path and some times to know what os they are using at backend

All these sites posted above are just to let you practice , I am not responsible for any misuse of the information.