Chaining an Blind SSRF bug to Get an RCE

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be discussing how I was able to get RCE by using Blind SSRF.

I am now offering 1:1 sessions to share my knowledge and expertise:

topmate.io/santosh_kumar_sha

TOOLS used for the exploitation:

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace)
  3. ffuf — https://github.com/ffuf/ffuf
  4. gau(Corben) — https://github.com/lc/gau
  5. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

Background of the Vulnerability:

I always wonder why great bugbounty hunter always tell about chaining the bug. I was doing some recon on target using web achieve I found an blind ssrf on targets with parameter named as “next_image” .

NOW the actual Hunting start:

So, Suppose the target name is example.com and also all subdomain are in scope.Like this

In Scope: *.example.com

While doing some recon on target using web achieve, I extracting all the urls from web achieve using waybackurls and gau . Here is command i used for that

Command used:

--

--

Santosh Kumar Sha(@killmongar1996)
Santosh Kumar Sha(@killmongar1996)

Written by Santosh Kumar Sha(@killmongar1996)

Cloud Security |Security Researcher |Pentester | Bugbounty hunter|VAPT | Pentration tester | CTF player | topmate.io/santosh_kumar_sha

Responses (2)