diff --git a/network-services-pentesting/pentesting-web/graphql.md b/network-services-pentesting/pentesting-web/graphql.md
index de4275697..fb5c6d410 100644
--- a/network-services-pentesting/pentesting-web/graphql.md
+++ b/network-services-pentesting/pentesting-web/graphql.md
@@ -510,6 +510,7 @@ query isValidDiscount($code: Int) {
### Vulnerability scanners
* [https://github.com/dolevf/graphql-cop](https://github.com/dolevf/graphql-cop): Test common misconfigurations of graphql endpoints
+* [https://github.com/assetnote/batchql](https://github.com/assetnote/batchql): GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
* [https://github.com/dolevf/graphw00f](https://github.com/dolevf/graphw00f): Fingerprint the graphql being used
* [https://github.com/gsmith257-cyber/GraphCrawler](https://github.com/gsmith257-cyber/GraphCrawler): Toolkit that can be used to grab schemas and search for sensitive data, test authorization, brute force schemas, and find paths to a given type.
* [https://blog.doyensec.com/2020/03/26/graphql-scanner.html](https://blog.doyensec.com/2020/03/26/graphql-scanner.html): Can be used as standalone or [Burp extension](https://github.com/doyensec/inql).
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
index 6fb0ac368..ae039fe40 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
@@ -229,6 +229,14 @@ In the following scenario the **attacker made the server throw some big errors**
.png>)
+## SSRF in PHP functions
+
+Check ther page:
+
+{% content-ref url="php-ssrf.md" %}
+[php-ssrf.md](php-ssrf.md)
+{% endcontent-ref %}
+
## Code execution
**system("ls");**\
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
index c741041e2..49a5be886 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -33,6 +33,20 @@ file("http://127.0.0.1:8081");
md5_file("http://127.0.0.1:8081");
```
+### Wordpress SSRF via DNS Rebinding
+
+As [**explained in this blog post**](https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf), even the Wordpress function **`wp_safe_remote_get`** is vulnerable to DNS rebinding, making it potentially vulnerable to SSRF attacks. The main validation it calls is **wp\_http\_validate\_ur**l, which checks that the protocol is `http://` or `https://` and that the port is one of **80**, **443**, and **8080**, but it's **vulnerable to DNS rebinding**.
+
+Other vulnerable functions according to the post are:
+
+* `wp_safe_remote_request()`
+* `wp_safe_remote_post()`
+* `wp_safe_remote_head()`
+* `WP_REST_URL_Details_Controller::get_remote_url()`
+* `download_url()`
+* `wp_remote_fopen()`
+* `WP_oEmbed::discover()`
+
### CRLF
Moreover, in some cases it might be even possible to send arbitrary headers via CRLF "vulnerabilities" in the previous functions:
@@ -76,11 +90,10 @@ $file = file_get_contents($url, false, $context);
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
-
Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
diff --git a/pentesting-web/ssrf-server-side-request-forgery/README.md b/pentesting-web/ssrf-server-side-request-forgery/README.md
index d923c6dad..55682d08d 100644
--- a/pentesting-web/ssrf-server-side-request-forgery/README.md
+++ b/pentesting-web/ssrf-server-side-request-forgery/README.md
@@ -3,7 +3,7 @@
\
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
+Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
@@ -127,7 +127,7 @@ https://example.com/?q=http://evil.com/redirect.php.
```
{% endcode %}
-#### Gopher MongoDB -- Create user with username=admin with password=admin123 and with permission=administrator
+#### Gopher MongoDB -- Create user with username=admin with password=admin123 and with permission=administrator
```bash
# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
@@ -179,6 +179,8 @@ Create several sessions and try to download heavy files exploiting the SSRF from
## SSRF PHP Functions
+Check the following page for vulnerable PHP and even Wordpress functions:
+
{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %}
[php-ssrf.md](../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md)
{% endcontent-ref %}
@@ -220,7 +222,7 @@ if __name__ == "__main__":
\
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
+Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
@@ -268,7 +270,7 @@ Vulnerable code:
-It was discovered that It's possible to **start the path** of a request with character **`;`** which allows to use then **`@`** and inject a new host to access. Attack request:
+It was discovered that It's possible to **start the path** of a request with character **`;`** which allows to use then **`@`** and inject a new host to access. Attack request:
```http
GET ;@evil.com/url HTTP/1.1
@@ -423,7 +425,7 @@ Other ways to support HackTricks:
\
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
+Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
.png)
.png)