incredibleindishell/SSRF_Vulnerable_Lab incredibleindishell/SSRF_Vulnerable_Lab

  • Stars
    star
    660
  • Rank 68,064 (Top 2 %)
  • Language
    PHP
  • License
    MIT License
  • Created about 5 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
incredibleindishell/SSRF_Vulnerable_Lab
github

incredibleindishell

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack

Server-Side Request Forgery (SSRF) vulnerable Lab

This repository contain PHP codes which are vulnerable to Server-Side Request Forgery (SSRF) attack.

I would like to say Thank You to @albinowax, AKReddy, Vivek Sir (For being great personalities who always supported me), Andrew Sir - @vanderaj (for his encouraging words) and those researchers who contirubuted in DNS rebinding attack based research

Vulnerable codes are meant to demonstrate SSRF for below mentioned 5 scenarios:

1. Application code that fetches and display the content of the specified file

In programming languages, there are functions which can fetch the contents of locally saved file. These functions may be capable of fetching the content from remote URLs as well local files (e.g file_get_contents in PHP).

This functionality can be abused if application is not prepending any string to the user supplied data to fetch the content from a file i.e application is not prepeding and directory name or path to the user supplied data.

In this case, these data fetching function can process the schemes like "http://" or "file://". When user specifies the remote URL in place of file name like "http://localhost", the data fetching function extract the data from the specified URL.

In case if application is prepending any data string (for example any directory name) to user data, "http://" or "file://" scheme won't work and exploitation of SSRF vulnerability is not possible.

Guide to Exploitation of Scenario 1

2. Application provides interface to connect to Remote Host

Web application has interfaces that allow an user to specify the any IP with any port. Here the application has functionality which tries to connect to service like "MySQL", "LDAP" etc.

Application expects user to specify the remote server hostname/IP, username and password in input fields. Application then tries to connect to the remote server over specified port. Here in this scenario, application tries to communicate to remote service listening on specific port. When vulnerable code has functionality to connect to server like MySQL and user specified the SMB port, vulnerable application will try to communicate to SMB servie using MySQL server service packets. Even though, the port is open, we are not able to communicate to the service due to difference in way of communication.

This behaviour can be exploited to perform internal network scanning not just to enumerate IPs but Ports as well on those live IPs.

Guide to Exploitation of Scenario 2

3. Application with File Download Functionality

In this case, an attacker can exploit this functionality to perform IP scanning inside the network where application server is hosted. The function which performs the task of downloading file from server, can download file not just from local server but also from SMB path as well. This is something which can help an attacker to figure out the Windows based machines in the network.

Web application hosted on Windows OS will process the SMB path as well if file download functionality is processing user input without prepending any data.

Guide to Exploitation of Scenario 3

4. Bypassing IP blacklisting using DNS Based Spoofing

The script has funcionality which allow user to fetch data from remote URL. User need to specify the remote URL with any IP or domain name.

The script perform check if user has specified the input as "localhost", "Internal IPs" or "Reserved IPs". If domain/IP specified by user is blacklisted, script will not fetch the content and stop processing.

Guide to Exploitation of Scenario 4

5. Bypassing IP blacklisting using DNS Rebinding Technique

Application has implemented black listing of not just internal and private range IPs but also rsolve the user supplied domain to its IP and again perform check if resolved is black listed or not.

In this case, DNS based spoofing trick will also not work to access the content hosted on internal/Reserved IP. Application code perform domain resolution to its IP and again perform black listed IP check for the resolved IP.

Guide to Exploitation of Scenario 5

6. SSRF in HTML to PDF generator script

This the scenrio of the web app which is using HTML to PDF generator script and passing untrusted user supplied data to HTML file which is processed by HTML to PDF generator.

Guide to Exploitation of Scenario 6

Ofcourse,
--==[[ With Love From IndiShell ]]==--

--==[[ Greetz To ]]==--

Guru ji zero, Code breaker ICA, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,
Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,
Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256
Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, D2, Bikash Dash and rest of the Team INDISHELL

--==[[Love to]]==--

My Father, my Ex Teacher, Lovey, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP
Mohit, Ffe, Shardhanand, Budhaoo, Hacker fantastic, Jennifer Arcuri, Thecolonial, Anurag Bhai Ji and Don(Deepika kaushik)

Docker

There is a Dockerfile in this repo that will spin up a vulnerable docker image. To build it, simply run docker build -t <tag> .. The Apache server is running on port 80 inside the container. Expose it with the -p flag. Running it with docker run -p 9000:80 <tag> will bring up a container listening on localhost:9000.

More Repositories

1

CORS-vulnerable-Lab

Sample vulnerable code and its exploit code
PHP
185
star
2

sqlite-lab

This code is vulnerable to SQL Injection and having SQLite database. For SQLite database, SQL Injection payloads are different so it is for fun. Just enjoy it \m/
PHP
157
star
3

Windows-AD-environment-related

This Repository contains the stuff related to windows Active directory environment exploitation
PowerShell
144
star
4

exploit-code-by-me

Exploit code developed/reproduced by me
Java
87
star
5

CORS_vulnerable_Lab-Without_Database

PHP
64
star
6

LDAP-credentials-collector-backdoor-generator

This script generate backdoor code which log username password of an user who have passed HTTP basic auth using LDAP credentials.
PHP
59
star
7

PHP-web-shells

when i started web application security testing, i fall in love with web shell development and designed some PHP based web shells. This repository contains all my codes which i released in public.
PHP
50
star
8

Local-file-disclosure-SQL-Injection-Lab

This is sample code to demonstrate how one can use SQL Injection vulnerability to download local file from server in specific condition. If you have any doubt, ping me at https://twitter.com/IndiShell1046 :)
PHP
42
star
9

axis_web_shell

This repo contains Axis web shells
18
star
10

good-read

Repository for study material including ebooks, URLs, web pages etc
15
star
11

Mannu-Shell

Mannu Shell is PHP web based shell. This code is meant for performing server side file manipulation and other stuffs. Its backdoor free and user friendly.
PHP
14
star
12

Magento-shoplift-python-exploit

Magento shoplift exploit is vulnerability which was discovered by CheckPoint team (http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/) This python script developed by joren but it was having some bug because of which it was not working properly. If magento version is vulnerable, this script will create admin account with username forme and password forme
Python
13
star
13

ysoserial.net-complied

This repository contains complied exe of ysoserial.net ( ys.exe in directory ysoserial/bin/Debug). This work belongs to @pwntester bhai ji \m/
C#
10
star
14

hash-cracker-ICA

Just an experiment with hash cracking :) few password lists along with some good password cracking rule sets.
C
8
star
15

Red_Team_Op

Notes for the CRTO exam
C#
7
star
16

Random

This repo contains random stuffs
PHP
7
star
17

SQLI_b0x

PHP
7
star
18

weblogic-exploits

POC codes related to Oracle WebLogic server
Python
5
star
19

SQLI-Lab_b0x

This repository contains sample SQL Injection vulnerable code which are not straight forward.
PHP
5
star
20

XXE_Vulnerable_codes

Sample codes vulnerable to XXE
PHP
4
star
21

network-wala-jugaad

4
star
22

sh

b374k php web shell
PowerShell
2
star
23

Panda-sql-injector

API for SQLmap sql injection tool. This tool is developed by my friend incredible.
PHP
2
star
24

RedTeam-Tools

Tools and Techniques for Red Team / Penetration Testing
2
star
25

mannu-shell-jump-tester

These codes are for checking read permission on website document root directory for other user in shared server environment.
PHP
1
star
26

insert_SQLI

SQL Injection in Insert query. Application is not throwing SQL server error messages.
PHP
1
star
27

API-Security-Checklist

Checklist of the most important security countermeasures when designing, testing, and releasing your API
1
star
28

rustdesk

An open-source remote desktop, and alternative to TeamViewer.
Rust
1
star
29

C2-Tool-Collection

A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.
C
1
star
30

ABPTTS

TCP tunneling over HTTP/HTTPS for web application servers
Python
1
star
31

writeups

CTF writeups and the like
1
star
32

mysql-brute-forcer

MySQL brute forcer is a PHP based script which perform mysql user account bruteforcing locally. This code is developed by one of my friend and for Educational purpose only.
PHP
1
star