Reading Internal Files using SSRF vulnerability
I am hunting on one private program since last 8 months, since it doesn’t allow disclosure i will keep organization REDACT, in requests i will use ‘example.com’ as its name.
I am going to show how i was able to read internal files of an organization using Server Site Request Forgery vulnerability.
After analyzing it i was able to make request from above function as follows:
Here you can see an interesting parameter ‘filehookURL’ , so i thought it is SSRF issue because i got the response of https://www.REDACT.com , so i confirmed that it is SSRF and hence my next target was, if i can read internal files of organization.
The next is to test dangerous URL schemas such as file:/// , dict:// , ftp:// and gopher:// , but i was lucky enough and i was able to read internal files from file:/// scheme.
Here is the request i made to read ‘/etc/passwd’ file :
And here is the response:
I immediately reported it to the organization, and the team was very fast in response. They fixed the issue within 2 hrs of their first response and awarded me with generous bounty.
I hope you learned something from it.
Thanks for reading.