4

First, let me summarize how the SSRF works:

1) You setup an SVG image with a reference to your server via xlink. Here's an example that works:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="http://EXAMPLE_SERVER/" /></svg>

2) You upload the image as your profile picture

3) EXAMPLE_SERVER receives the following HTTP request from the server that the image is uploaded to:

GET / HTTP/1.0
Host: EXAMPLE_SERVER
Accept-Encoding: gzip

So all I have been able to confirm is that this is indeed SSRF, as the request is coming from the server, not from my client side. However I'm not very skilled in this area, and I don't understand how to actually exploit this.

So how do I use this to enumerate files or perform any actions that will actually make it a valid vulnerability? I do believe an is-image-present oracle could be set up, but the server I am testing doesn’t have any images on it, so this wouldn’t be a problem.

Jack
  • 471
  • 2
  • 6
  • 18
  • Is this second step originated by your browser or server ? Normally upload actions or HTML serving does not trigger that kind of links this why I am asking. – alnbhclyn May 29 '19 at 22:11
  • @alnbhclyn Not sure I understand exactly what you’re asking, but I mean the second step is clicking the upload button. – Jack May 31 '19 at 17:51
  • If this request (GET / HTTP/1.0) happened after your click (upload button), I believe application represents it at that page. If so, you can see that request at your network tab. Could you please check, are you able to see that request on your browsers network tab. – alnbhclyn May 31 '19 at 18:45
  • @alnbhclyn I checked and I cannot see that request in the network tab – Jack May 31 '19 at 22:42
  • perfect. Now you need to find a open port at that intranet and detect which wrappers are accepted file:///, dict://, sftp://, ldap://, tftp://, gopher:// (check application responses / response codes / etc.) and also I believe you need to test TARGET_IP:PORT without wrapper. This attack vector is basically works as our proxy, we are able to communicate with other services. If we can find out a elasticsearch instance we can send arbitrary requests. Let me know the progress if you would like to continue. – alnbhclyn Jun 01 '19 at 00:02
  • @alnbhclyn that’s the part i’m confused about. How do I use this to find open ports/protcols? – Jack Jun 01 '19 at 01:23
  • 1) You can understand firewall configurations, "which outgoing ports accepted". Most of the well structured architectures controls outgoing traffic. For example if you can say "only 53/udp", this will be precious while you are choosing the right backdoor. 2) Information leak, if you are able to read output of SSRF, you can read ElasticSearch / MongoDB, just call them over SSRF.... 3) If you have luck, you can find a vulnerability at that ports/protos which will be simply exploited like shellshock 4) If can read local fiels, find a conf Hope it is more clear now. Have a look xxrf-shots tool – alnbhclyn Jun 02 '19 at 21:17
  • first try to rebuild the vulnerable system (minimal working example) on your local machine and then try to develop a working exploit for that. You need to try if you can try to inject newline characters `\n` (-> header injection) – Awaaaaarghhh Jul 14 '20 at 03:30

1 Answers1

0

If you know/guess the server file system information then you can try loading local system image file by giving file path in

xlink:href="localPathOfImage"

As this is SVG file then you can try checking XXE, Billions Laugh attack etc

SurajKum4r
  • 1