Basic SSRF against another back-end system | Website Security

Lab Description

Basic SSRF against another back-end system | Website Security

Today, we will solve a lab that is about basic SSRF against another back-end system. The lab has a stock check feature that fetches data from the internal system. This lab is vulnerable to SSRF, and we need to perform an internal scan. For this purpose, we are provided with the IP address 192.168.0.X, and we also need to use port 8080. For example, 192.168.0.3:8080.

Check Out: What Is Authentication Vulnerabilities

To solve the lab, we will use Burp Suite. First, we will find the correct internal IP and then access the admin panel to delete the user “carlos.”

Lab Solution

First, we will access the lab and view the details of any product

After that, we will use the check stock feature. By clicking on check stock, we will intercept the request in Burp Suite.

Basic SSRF against another back-end system | Website Security

After intercepting the request, we will send it to the Intruder. Now, we will modify the stockApi value. The internal IP address is already provided to us, which is 192.168.0.X. We do not know the value of X, so we will find it first.

stockApi=http://192.168.0.0::8080

We will modify the stockApi value as follows: “http://192.168.0.0::8080. We will replace X with 0 and also include port 8080. After that, we will add 0 to it because we need to run a brute force attack on it.

In the payload tab, we will set the payload type to numbers and the number range to 0-255 with a step of 1. After doing all this, we will start the attack.

Basic SSRF against another back-end system | Website Security

Once the attack is complete, we will get a different value, which is 404, and it will show us the IP address value. Now, we will use this IP address “https:192.168.0.9:8080” to access the internal system.

When I put the value “http://192.168.0.0::8080/” in the stockApi, nothing was shown to me. Instead, I got an error 404.

Basic SSRF against another back-end system | Website Security

However, when I added “/admin, I got access to the admin interface.

Now, we will delete the account of carlos. If we do this directly from the browser, we will get an error 404. Therefore, we will perform this process through Burp Suite.

http://192.168.0.0::8080/admin/delete?username=carlos

We will use the following URL to delete the carlos account: “http://192.168.0.0::8080/admin/delete?username=carlos

As you can see, we have successfully solved the lab called Basic SSRF against another back-end system | Website Security using Burp Suite.

Leave a Comment