Lab: Basic SSRF against a local server

-

This Lab demonstrates the lack of protection which allows someone to send request to the server's loopback access and receive output as if it was being accessed locally.

I loaded the website and chose a random product to look the request it send for checking stock as that would be communicating as `POST` with the server so this could be used to send commands to the server:

I replace the stockApi URL with `localhost/admin` to access the admin page via the loopback of the server:

This showed me the user list on the server:

Now I naively just pressed delete on 'carlos' while forwarding the requests without looking at them which sent me to this page:

Confused I tried again but this time I looked the request being sent, and to my displeasure it was a GET request to the server's client facing admin page not the one on loopback:

So, I decided to copy the request and redo the `POST` request to server but with the deletion information appended to it:

And finally I just brought up the user list again to verify the deletion:


Comments

Post a Comment

Popular posts from this blog

Malware Analysis Report: Sample SmokeScreen

-
Image
Basic Facts Components -         PASTA_MENTOR_PROMO_DEAL_agreement.docx.scr       (Initial Stage) [Program1.exe]      sha256 8d204db953fd7d637f8718f56fbecfbf93ebcc8e7402ce71d5c52b01689777a2       Program1.main.exe        (Second Stage) [Runs under InstallUtil.exe]      sha256 c7ce154d0ab5aec517829623f7b3b30a4e0ea6dc981fdf13134a8f263a062a9a   Malware Type: Injector/Info-Stealer  Windows PE | C# (stage 1) | Nim (stage 2)   --*--*--
Read more

[TryHackMe] BrainPan 1

-
Image
So I was selected in one of the teams Sheridan is sending for cybersci and that meant I gotta prepare myself for the challenge, and what better way to do it than try a hard lab (I should have started with something easier, but atleast the pain was a learning experience). This is my writeup for BrainPan 1, or as I like to call it Brain Pain.
Read more