Exploiting SSRF Using Export PDF
Server Side Request Forgery (SSRF) is an attack where the server will act like a proxy for the attacker for accessing a local or to a remote source and then return back response containing the output of request.
What can be exploited using this bug?
- Port Scan of app
- Local File Read (using file://)
- Accessing the internal apps/service/network
- RCE by chaining services on the internal network
- Read Metadata/keys of Cloud (AWS, Azure, Google Cloud, Digital Ocean, etc)
Lab Setup
To demonstrate the exploitation I am choosing an easy to do lab from Tryhackme TryHackMe, which focus on exploiting the functionality of Export to PDF.
Challenge Name/Room: Surfer
With a simple fuzzing I got to know using /robots.txt that there is chat.txt which holds the hint of default credentials to application.(see if you can figure out or not!!!) Tell me username & password if you could guess it :P
After being successfully logged in we can see a dashboard with a kind of log that exposes the internal access point /internal/admin.php.
I just copied URL for future use and fired my Burp Session to fuzz the application. See the video below to see all those fuzzing and tweaking using burp.
In my upcoming story I would bring scenarios to showcase all possible ways of exploiting SSRF .So stay Tuned .
Thank You