Lab: Basic SSRF against another Backend System
This Lab explores the web servers lack of protection against access of local network, often on internal private network the admin page for web servers is left unprotected due to the network being isolated but if the client facing server doesn't have necessary protections this basically allows the attacker to have free access to admin panel.
I load the webpage and choose the first product to see the `POST` request it was sending and stumbled across a private IP:
`192.168.0.1:8080` fit the description for the lab instruction as it was an IP in `192.168.0.x` and hosted resources at port 8080.
So assuming that I decided to send a request for admin page to it using stockApi:
But this didn't produce any desirable results which left me a bit confused so I sent the `POST` request to Repeater for further investigation, where I found it had a client side error:
I decided to take a step back and scan for IPs or rather enumerate IPs hosting something in the internal network using Intruder. I sent the same request to Intruder, setting the payload position at the last octet of the IP:
I then proceeded to set the payload to numbers from 1 to 255:
I started the attack and set the filtered out 5xx status codes or server side errors as I didn't need to know if an IP didn't host anything:
The resulting IPs were two, one which had previously left me perplexed and a new and more promising one with a 200 status code.
I
substituted the last octet of my `POST` request with '152' and got
access to the backend server's admin page:
Since I had access to the admin page this way I crafted the request deletion and sent it to the server by setting the stockApi url to `http://192.168.0.152:8080/admin/delete?username=carlos`. I had learnt do craft such requests in my previous SSRF lab.
I verify with the another `POST` request calling for user list again:
Comments
Post a Comment