Exploiting the SSRF (Remote SSRF)

Hello Guys,

It’s me Aaditya Purani, So today i am writing one of the Most Anticipated topic and hottest one known as SSRF (Server Side Request Forgeries ). SSRF is something you find rarely in day to day Web applications. So there are lesser POC’s available online. So what about coding One? Yes. Cool enough . Now, before starting the article i assume, You must have basic knowledge of PHP and SSRF .If not, go and learn šŸ˜›

Here, is the Code i wrote . The logic is it is like a Website which helps user to fetch the Page and it’s content. So, here it what it looks now

ssrf1

So this is it, you need to Enter the Link and click on “Submit” and boom roasted . So i enter any url lets say ronaldo.com and see what i get

pic2

So what i did in the code is used the PHP Function “file_get_contents()” to get the content of a particular webpage which users enter. Now, obviously to make it Exploitable. The code is kept Vulnerable by not doing proper input Validation and No Error Handling. Error Handling part is one the major part in the process by which attacker can determine and go on further testing according to what error he gets. Basic SSRF or Simple SSRF if we talk about, we can do Port Scanning through it. Now, there is a site called

scanme.nmap.org . Check that with Nmap, it will show you two ports open 80 / 22 and 8000 and 8080 Filtered. Now, we need to check the Open Port by the Command . And we will determine “Error”
http://scanme.nmap.org:22

pic3

We receive an Error Message “HTTP Request Failed” . So, now mark it aside as Open = HTTP Request Failed for some time. Now let’s check a closed port like 5555

Command:

http://scanme.nmap.org:5555

The Response we get is:

pic4Cool. Again we get Error Message as ” Network is Unreachable” . Now, we knew it was closed port by our reconnaissance by Nmap before. So mark it aside as “Network is Unreachable” = Closed Port

On the base upon the error messages, we can conclude that which ports are open and which ports are closed. You may also compare timings, sizes of response and many other factors to determine the correct before deriving a conclusion. So that was it, more questions you call always Ping me up .

That’s all for today .Thanks and special Thanks to Daniel for asking this question šŸ™‚

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s