![]() Complementing your manual testing with Burp Scanner.Testing for directory traversal vulnerabilities.Testing for blind XXE injection vulnerabilities.Testing for XXE injection vulnerabilities.Exploiting OS command injection vulnerabilities to exfiltrate data.Testing for asynchronous OS command injection vulnerabilities.Testing for OS command injection vulnerabilities.Bypassing XSS filters by enumerating permitted tags and attributes.Testing for web message DOM XSS with DOM Invader.Testing for SQL injection vulnerabilities.Spoofing your IP address using Burp Proxy match and replace.Testing for parameter-based access control.Identifying which parts of a token impact the response.The result should be: stockApi=http%3A%2F%2F192.168.0.142%3A8080%2Fadmin%2Fdelete%3fusername%3dcarlosĪnd then check the browser to get credit for solving the lab: You might also like. You can do this in an external tool like CyberChef, or select each character individually, right-click, select Convert > URL > URL encode all characters. You will need to URL encode the :, /, & and =. ![]() Then modify the stockApi value to be equal to: Right-click the response in the HTTP History view, then Send to Repeater this time. Now that we know where the admin panel is ( 192.168.0.142:8080/admin), we need to send a POST request to the delete user endpoint to delete Carlos.įrom looking at the “pretty” response tab, we see that this endpoint is /admin/delete&username=carlos: Lab Solution This payload number ( 192.168.0.142 in this case) corresponds to the last digit of the IP where the admin interface lives: Scroll through the results until you see a large response: This will make requests to all IP addresses on the 192.168.0.1/32 range, with port 8080 and endpoint /admin. You’ll need to select a Payload Type of “Numbers”, then fill out the form as shown (starting at 1, ending at 255, with a step of 1): Next, highlight the “1” at the end of the IP, then click Add to turn it into a variable: Then modify the request to have a payload of http%3A%2F%2F192.168.0.1%3A8080%2Fadmin, the URL-encoded version of. Then, in the Intruder tab, we’ll need to modify the payload positions.įirst, hit Clear on the right-hand side to remove all existing payload positions, designated with a §. Right-click the request in the Burp Suite Proxy > HTTP history view and select Send to Intruder: To find this, we’ll use Burp Suite’s Intruder tool. Where ? is an unknown value between 0 and 255. If we highlight this URL encoded value in the Burp Suite request window, then right click and select Send to Decoder, then click Smart Decode, we see that it decodes to: This is what we’ll tamper with to get admin panel access. Here’s the website, the typical shopping site:Ĭlick into a product and then scroll down to see the product stock checker that the lab description talks about:Ĭlick the check stock button, then look in Burp Suite to see the request:Īs before, we’ve got a stockApi value that instructs the server to send a request to an internally-accessible network. This will be in format SSRF, or Server Side Request Forgery, is a way of tricking the server into sending requests on your behalf such as to an internal host that would otherwise not be accessible to you.įor this lab, we need to find the admin portal on the internal network, then delete Carlos’ account from there.īefore we get started, make sure you have Burp Suite open and a proxy running. Challenge InformationĬlick the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This is accessible from the “ all labs” view or from the SSRF page. Log in to your Academy account and then view the lab at. For this walkthrough, you’ll need to have Burp Suite set up, as well as a Portswigger Academy account. This is a writeup for the “basic SSRF against another back-end system” lab from PortSwigger Academy.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |