Chaining an Blind SSRF bug to Get an RCE
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be Discussing how I was able to get RCE by using Blind SSRF.
TOOLS used for the exploitation:
- gf (tomnomnom) — https://github.com/tomnomnom/gf
- qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace)
- ffuf — https://github.com/ffuf/ffuf
- gau(Corben) — https://github.com/lc/gau
- waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
Background of the Vulnerability:
I always wonder why great bugbounty hunter always tell about chaining the bug. I was doing some recon on target using web achieve I found an blind ssrf on targets with parameter named as “next_image” .
NOW the actual Hunting start:
So, Suppose the target name is example.com and also all subdomain are in scope.Like this
In Scope: *.example.com
While doing some recon on target using web achieve, I extracting all the urls from web achieve using waybackurls and gau . Here is command i used for that
gau -subs example.com
But still there is a chance that will will missing some url. So, inorder to reduce the chances for the missing url we run waybackurls on all subdomain. And grep out all the urls containing parameters and sort them uniquely and save it in file. So that can fuzzing for blind ssrf
gau -subs example.com; subfinder -d example.com -silent |waybackurls | gf ssrf | sort -u >> testblindssrf.txt
After greping and sorting the url we saved it in a file named as “testblindssrf.txt”. Now we fuzz the url for blind ssrf using ffuf.
So for receiving the http request for blind ssrf i have used my burp collaborator . But testblindssrf.txt file have 900 url so, i used qsreplace to replace all parameter value with burpcollaborator server payload and fuzz it with ffuf.
cat testblindssrf.txt | qsreplace “http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net" >> ssrfuzz.txt
ffuf -c -w ssrfuzz.txt -u FUZZ -t 200
Now we will check whetherwe get any http request hit on our burp collaborator server. Fortunately i got an httpx hit on my burp server by the urls as
Now it time to escalate blind ssrf to RCE:
As I was thing about how can escalate these blind ssrf sudden i remember as post of twitter i can’t remember the name of the user who posted the tips but I tried the payloads to check rce.
Once , when i open the link on my browser i got an http request on my burp server with “whoami” rce command being a executed as show in image.
POC for Blind ssrf to rce
I quickly reported the bug and the report by triage to critical
After seeing this my reaction …
I’m sure that a lot of security researcher had already see there process but this how I approach to access admin dashboard , and i have reported many in bugbounty program using this process, .I hope this will help to find more admin Dashboard takeover
That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability..
Thanks for reading :)
Santosh Kumar Sha — Security Researcher — Bugcrowd | LinkedIn
View Santosh Kumar Sha’s profile on LinkedIn, the world’s largest professional community. Santosh Kumar has 2 jobs…