PortsSwiggerLab: SSRF with blacklist-based input filter
实验目的
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at
http://localhost/adminand delete the usercarlos.The developer has deployed two weak anti-SSRF defenses that you will need to bypass.
官方WP
- Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Repeater.
- Change the URL in the
stockApiparameter tohttp://127.0.0.1/and observe that the request is blocked.- Bypass the block by changing the URL to:
http://127.1/- Change the URL to
http://127.1/adminand observe that the URL is blocked again.- Obfuscate the "a" by double-URL encoding it to %2561 to access the admin interface and delete the target user.
实验步骤
- 进入实验室首页
- 随意点击一商品详情页中
找到下方的`Check stock`
- 使用Yakit进行抓包
- 尝试修改`stockApi`参数值
响应提示该请求由于安全原因被拦截
- 尝试将`127.0.0.1`修改为`127.6`进行绕过
- 尝试直接访问该服务器管理员面板
再次由于安全原因被拦截,因此对admin进行修改绕过
- 将`admin`进行字母大小写混乱后成功绕过
- 往下翻找到关于删除carlos部分的代码
由此可知接口为`/admin/delete?username=carlos`
- 尝试直接拼接触发该接口将carlos进行删除
- 完成该实验
