10.2 Lab: Basic SSRF against another back-end system | 2023
This lab has a stock check feature that fetches data from the internal system. Use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete Carlos to solve lab | Karthikeyan Nagaraj
Published in
2 min readSep 30, 2023
Description
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, use the stock check functionality to scan the internal 192.168.0.X
range for an admin interface on port 8080, then use it to delete theuser carlos
.
Pre-Requisite:
Solution
- Click a Product and Check out the Stock Checking Functionality
- Capture the request, you can see that there is a parameter called stockAPI which has an encoded string
- Send the request to the decoder and click smart decode to decode the string and know that it is directing to a internal page
- Here, instead of adding http://localhost/admin, we have to add the IP Address which ranges from
192.168.0.0 to 192.168.0.255
like http://192.168.0.X:8080/admin - So, send the request to Intruder, clear the payloads, then select the X in Ip address and click add.
- Move to payloads tab, choose numbers in payload
- Then set the start value to 1 , then end to 255 and step by 1
- Now, start the attack then you can able to see a 200 status code in response
- View the response of that request and note the IP address is http://192.168.0.24:8080/admin
- Now send that request with the IP we found in the repeater
- Now you can able to see that the response is successful and on inspecting the code you can get the URL to delete user
Carlos
- If you are using a professional version, you can render the response for a better result
- Copy the URL that we found on 4th step’s response
- Now Paste it on the stock API Parameter to solve the Lab
If you would like to support me so that I could create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials