0

Say I've found a perfect SSRF vulnerability in a web application that lets me send web requests to any URL, any host, any port, any scheme. I can use the file:// scheme to get the contents of local files, such as file:///C:/Windows/win.ini.

I would like to get full remote code execution though, and to do that I need to be able to write local files, to do something like create a scheduled task. (Or is there a better way to get RCE, assuming the only ports listening on the machine, other than the web server, are default Windows ones?)

My question is, using the file:// scheme, can I modify files, or just read them?

If the answer to that is no, I was thinking about doing an SMB relay attack (host a malicious SMB server on the internet, then trigger the SSRF to file://my-malicious-server/hackme, and relay the provided credentials back to the server itself). Would this work, and if so, what URL scheme could I use to establish an SMB connection with the server?

Bob
  • 79
  • 7

1 Answers1

1

My question is, using the file:// scheme, can I modify files, or just read them?

A file: URI is just a way to specify a local path. Your question boils down to "using a file path, such as C:\Windows\win.ini, is there a way to modify files?" because that's all the file: URI is, a qualified path.

There's no official way to use a file: URI to edit a file. You can use it to open one - web browsers do this, for example, if you try to open a local file - and if the tool you open it in allows writing then you can do that. But in this case, "the tool you open it in" is your SSRF-vulnerable web app, which presumably does not have a way for you to write anything back (let me guess: it's an XML external entity?).

To the best of my knowledge, there's no way to get RCE on Windows via attempting to open a file (or anything else that can be grabbed via SSRF) for reading.

I was thinking about doing an SMB relay attack... Would this work

Maybe. It depends on whether the server is even able to connect to remote SMB shares (it can be, and often is, blocked at the firewall), what credentials the web app server uses when attempting to log into a remote SMB server, whether those credentials can be used for remote access to the server (and if so, with what permissions; e.g. if it's read-only access again, you gain nothing), and whether the server has any listeners you can connect to from where you are (unlikely, usually everything except the web port is behind a firewall and even the web port may be behind a load balancer and not directly reachable).

if so, what URL scheme could I use to establish an SMB connection with the server

file:///server.domain.or.hostname.or.ip/share_name/path/to/file. Just like a standard Windows networking path, except you use forward slashes and prefix with file:/

CBHacking
  • 40,303
  • 3
  • 74
  • 98