During one bugbounty I found that the target webapp is presenting some 'interesting errors' in responses. ;) As this is always a nice and cool 'hint' to see during pentests/ctfs I decided to dig a little bit more. Below you will find the details for SSRF found in LiquiFireOS. Here we go...
Today we'll start here:
This solutions was 'something new' for me. Example response I found online during bugbounty:
I decided to use Burp Suite and try few of the scenarios described in one of the posts available on the blog:
Few more cases (and sample response):
So it looks like we're talking about version 4.8.0 :) Cool, next:
As you can see (example requests from Intruder) there is a nice part of the link, for example url.
I decided to check some other 'url' :) Results below:
That looks interesting ;> So what is the problem? Maybe the port? Maybe the hostname? I will try to change both of them:
That's nice :) Is there any other parameter available for this kind of modification?
To verify it I decided to read a very nice book for Christmas - called the manual: ;)
You can find few more cool cases and examples there.
As I saw in one of the error messages, there are only 4 possibilities to use: http://, ftp://, file:// and cms://. I decided to use http and ftp:
I decided to check if the target app will be able to do something else for me. For example to log in to some (internal?;)) ftp server. Because I do not have one (in the 'target/bugbounty company' ;)) I decided to use some nice-for-cats-ftp server I found online. Let's try to log in with admin:admin credentials:
Looks promising ;)
If you will see the main page ('of the target') there should be something like this:
Sample payload to use in your URL:
Maybe you'll find it useful.
See you next time!