Lab 9: Basic SSRF against the local server

 Here I have to exploit SSRF

The first thing I will do is look at the requests  that the web page makes with Burpsuite

The website has an option to check the stock of an item.

This has to connect to the backend. If i am able to change this request with the loopback address which is often trusted then I can access a page that I don’t have normal access to.



Here is the request and as can be seen it is accessing the backend.


By changing the request to http://localhost/admin i was able to gain access to the admin page and delete a user.


After looking at the request I saw that the path to delete Carlos was to go /admin/delete?username=carlos

I then added this to my original path and sent it, I then followed the request and it worked.


The user Carlos was deleted and the lab was done.

Comments

Post a Comment

Popular posts from this blog

Practitioner Lab 1: File path traversal, traversal sequences blocked with absolute path bypass

Image
 This lab contains a path traversal vulnerability in the display of product images. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory. To solve the lab, retrieve the contents of the  /etc/passwd  file. I began by looking into one of these pages which have images I then went into the source code and took a look at where the image was being accessed I then went into it and changed the image for the absolute path of the file /etc/passwd This then resulted in the lab being finished. To solve this using Burp I went into the http history and this allowed me to see the request for images. Here I take a look at the request and then change it to the absolute path of /etc/passwd and then I get the contents of the file
Read more

Practitioner Lab 7: SSRF with filter bypass via open redirection vulnerability

Image
  This lab has a stock check feature which fetches data from an internal system. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first. I went into the page and looked at the check stock which accesses the database Here I took a look at the request to see what was happening and how it was working here I first check how it would react if I just tried to use the Ip directly without using local. I will use their own URL and then &path=http://192.168.0.12:8080/admin to the end of the URL As can be seen the URL doesn’t allow for redirections. I need a URL that needs redirections. This URL allows for redirections I found this after clicking next item. /product/nextProduct?currentProductId=1&path=/product?productId=2 I can use this URL and feed it to the stock checker to then be able to go to the admin page I put the URL that I got before here to then be able to redirec...
Read more

Practitioner Lab 4: File path traversal, validation of start of path

Image
 This lab contains a path traversal vulnerability in the display of product images. The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder. To solve the lab, retrieve the contents of the  /etc/passwd  file. I began by going into the page with an image and captured the request. I then opened Burp Suite and looked at the request and as the lab specified the request will not work unless it has the main path of /var/www/images I tried to check what answer it would give me when I didn't have the full path name just to learn. After putting a full path name it worked out including the starting point of /var/www/images. Now the lab is solved.
Read more

Practitioner Lab 5:File path traversal, validation of file extension with null byte bypass

Image
 This lab contains a path traversal vulnerability in the display of product images. The application validates that the supplied filename ends with the expected file extension. To solve the lab, retrieve the contents of the  /etc/passwd  file. the first thing I do is check the website out and look for images. I will then click on the page with the image because this way I can see the request on Burp Suite In this case, the server is checking for a specific extension so i put it after the %00 null byte Now I am going to check how it works when I don’t put that. I want to see what type of answer it will give me. It will simply say no such file.
Read more