Chaining an Blind SSRF bug to Get an RCE
Hi, everyone
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be discussing how I was able to get RCE by using Blind SSRF.
I am now offering 1:1 sessions to share my knowledge and expertise:
TOOLS used for the exploitation:
- gf (tomnomnom) — https://github.com/tomnomnom/gf
- qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace)
- ffuf — https://github.com/ffuf/ffuf
- gau(Corben) — https://github.com/lc/gau
- waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
Background of the Vulnerability:
I always wonder why great bugbounty hunter always tell about chaining the bug. I was doing some recon on target using web achieve I found an blind ssrf on targets with parameter named as “next_image” .
NOW the actual Hunting start:
So, Suppose the target name is example.com and also all subdomain are in scope.Like this
In Scope: *.example.com
While doing some recon on target using web achieve, I extracting all the urls from web achieve using waybackurls and gau . Here is command i used for that
Command used:
