SSRFun

Hello guys!

I’ve been off for a while and I’m sorry for that, but I’ll try to be more consistent regarding posts. Nooow, let’s dive in.

I was assessing a gov website. I already found some XSSes and SQLi because yeah, you know, they’re not that damn secure. As I was accessing all website’s subdomains and just browse them and click everything I see, i saw an odd request.

The odd request

And I tought… what the hell?! Let’s try giving it something else to try to access/pull.

Web App trying to fetch my URL

It seems it tried accessing the given link. YES!!! That might just be an SSRF. Time to really see how far I can go (obviously since the first request was for an internal IP I “scanned” that netblock).

And since usually all gateways/routers have some kind of UI that you can access on port 80 I went for anoter scan. Found another 2 subnets.

Other Subnets Discoverd

As I was after the web apps, I just scanned each subnet on port 80. Came across multiple Web Apps, but the one that caught my eye was the Access Control. Yes, I was able to access it and see who, what and when accessed.

Access Control Points