[SSRF] Lab 2: Basic SSRF against another back-end system
[SSRF] Lab 2: Basic SSRF against another back-end system
This lab is apart of my journey on to the burp suite certified practitioner. And is on the server side vulnerabilities pathway from Port Swigger.
so in this lab i need to attempt to access the intern IP of 192.168.0.x I have a feeling there might be some brute forcing involved…
of course like always i always start lab without the proxy to get a understanding of itʼs structure.
Looks like a shop again lets check for stock details on a product to see if it is making a request to a Internal api to query for that stock number.
nice letʼs start up the proxy and interact with this check stock button.
now lets pass this request to the intruder to start brute forcing the IP range…
so to add a payload position im going to highlight what i want to add to brute force then im going to hit the add button on the right side.
Attack TIME !!!
since we know that one of the internal site on ip 192.168.0.x has a /admin page that means there is really only 2^8 possible addresses in that last octet which leaves us with 256 but since we can have a host address with all 0 we can subtract one address from there so that 255 possible addresses.
this is the payload i will be using and the format with url encoding and decoded for everyone to see what it is in plain text Used burp suite decoder tool)
request:
to get the payload to be number simple change the payload type in intruder to number and specify the range:
I decided to forget about the url encoding and retry my brute-force attack with intruder so what i di was pause the attack once in started to verify the requests we good..
FINALLY IT WORKED! the brute force attack was taking forever..
now we know that the internal address of the backend system with the sensitive functionality is on http://192.168.0.1698080
so now lets follow steps from previous lab to be able to complete that lab with deleting carlos.
i need to make it seem like the request is coming from the local machine. so when i hit delete button im going the copy whatever the site is requesting then pass that to my url in the StockApi request…
then pass that to here
and there we go we solved the lab:
