Demo: SSRF

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 9 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Let's take a look at server side requests for dribble.
00:00
I was going to introduce
00:00
a vulnerability scanning framework
00:00
that I really like.
00:00
It's great for bug bounty it's great
00:00
for us and in the pen test world
00:00
but it's called nuclei
00:00
written and go buy Project Discovery.
00:00
It is an incredibly fast scanner.
00:00
As you can see here if I'm doing
00:00
a web application penetration test,
00:00
I can see that this is running solar.
00:00
What I can do is I'm going to run the nuclei framework.
00:00
I'm going to have my URL right
00:00
here to make sure I have the right port,
00:00
8983, 8983 and I'm going to use tags for solar.
00:00
This runs on a templating engine written in YAML.
00:00
It's going to find all the templates
00:00
that have solar in it.
00:00
You'll see how fast this is just pressing "Enter."
00:00
I can see here solar exposure is medium and found
00:00
the solar software here
00:00
and also that it has a file read,
00:00
it can read a file.
00:00
If you remember in the lesson,
00:00
I talked about looking at
00:00
the URL and you can see here stream URL and it's
00:00
including a file in here it says post HTTP
00:00
is pulling the ETC, password file.
00:00
Now what I would do to see if this was running with
00:00
elevated permissions, I do,
00:00
ETC, shadow and see if it's
00:00
verbose and it is so permission denied.
00:00
I know that it is not allowing me.
00:00
Whenever the server is running as,
00:00
it's not running as root.
00:00
Now I can work backwards here,
00:00
server-side request forgery, maybe this is actually
00:00
looking for an internal endpoint, internal URL.
00:00
Let's see if we can reach out to mine.
00:00
Now, I will say that
00:00
I'm running this in a darker, so what I need to do,
00:00
because there's a whole lot of issues
00:00
with inbound and outbound ports with
00:00
Docker is I need to set up
00:00
another Docker instance that this might be able to reach.
00:00
If I change this from
00:00
file http 172,
00:00
now this is the Docker address 17.
00:00
That's listening 03,
00:00
and I'm using so cat,
00:00
which is like Netcat to listen on port 8880.
00:00
I'll bring my listener in here, I'll press Enter.
00:00
Now we see that
00:00
they get request from the server user agent is
00:00
Java and we have the host here, which is us.
00:00
You can see here that we can use SSRF both to read files
00:00
internally and to reach out externally to other websites.
00:00
All that being said,
00:00
we can also try to look for things
00:00
internally within the server, within the network.
00:00
As we can see, 17 to 1703.
00:00
This darker here is running in,
00:00
you can call it internal networks so I could try to find
00:00
other dockers that are running that are connected.
00:00
Using a SSRF,
00:00
it's pretty interesting what we can
00:00
do both reading files and
00:00
also connecting to internal and external endpoints.
Up Next
Scenario: Facebook SSRF Dashboard
5m
Lab: SSRF
45m