Easy SSRF using Match and Replace, and a bonus on how to have your burp collaborator/server go…
2021-10-04 18:37:10 Author: infosecwriteups.com(查看原文) 阅读量:41 收藏

Vuk Ivanovic

Match and Replace part is present in both paid and free editions of burp, and combined with the below link this should be useful for everyone.

Here’s one of the free alternatives to burp collaborator:

Now, there are two ways to go about it, and one of them is pretty dumb, but it might still work :)

The smart way — Part 1
So, I registered at the target website, and it had an area with templates. You could either upload your own logos or use the ones provided by the target website. Now, I usually don’t really care about those, mostly because it’s just images and it’s usually hard coded inside img src so even getting an interesting text file, it wouldn’t result in a readable result. But, I wanted to challenge myself to see if I could get something like gopher ssrf even with having control over img src and nothing else (as per h1 reports[]). But, I first had to determine if there was a “regular” pingback through img src that was coming from internal ip or any ip related to the target instead of it coming from my own ip.
In order to determine what exactly to use for Match and Replace website, I chose one of the website provided logos and clicked Save to commit the change. I did all that while having burp capturing all the traffic to the target domain (it was widescope, so I didn’t have to bother about accidentally excluding related/important subdomains). The next part was to find reference(s) to the logo in question in the Request body.

From screenshot you can see that it’s an editable html code. Which immediately suggested that figuring out how to get anything from compromised img src wouldn’t be necessary, especially when it turned out that iframe wasn’t being filtered out/blocked (its source did though, I’ll get back to that later).
The important thing — I got a pingback that wasn’t coming from my own ip. Which meant it was time to figure out how to actually get something useful.

The Smart Way — Part 2
I used the iframe src to get the output, and it worked… sort of, I got a http pingback, but that’s not 100% indication that it’s going to get to full ssrf.
Then I tried various internal ip addresses, subdomains, and anything I could think of… except one thing. Because the pingback ip didn’t belong to the usual aws resolved ip, I didn’t try it until way too many hours of attempting to figure out which internal ip address may give me some info (ie. various ranges of 192.168.0.1, 192.168.1.1, 10.0.0.1, 172.x.x.x, 127.x.x.x). And it turned out that those were being blocked as well.
However, bypass of using 0 for 127.0.0.1 did work, but only showed:
Welcome to nginx. Not really something to report as a bug (I know that from personal experience of reporting it a few times in the past (: ).
So, I was ready to throw in a towel, but I figured let’s go w/ aws (even though I fully expected it to fail): 169.254.169.254, but that was also being blocked. But, why would they block aws ip if they weren’t using aws?
So, that got me curious, and the bypass that I have used in the past worked in this case as well:

And I got:

The Dumb Way
Well… This is mostly for entertainment purposes :) and it has been mentioned in the past. Just Match and Replace any and every website reference. If you really want to have dumb fun do it for Response body as well, who knows, it might work, and if it does let me know in the comments. But, be ready to have your burp collaborator or your server get a bunch of pingbacks.


文章来源: https://infosecwriteups.com/easy-ssrf-using-match-and-replace-and-a-bonus-on-how-to-have-your-burp-collaborator-server-go-b5210037a101?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh