10.2 Lab: Basic SSRF against another back-end system | 2023

8 months ago 58
BOOK THIS SPACE FOR AD
ARTICLE AD

This lab has a stock check feature that fetches data from the internal system. Use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete Carlos to solve lab | Karthikeyan Nagaraj

Karthikeyan Nagaraj

Description

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete theuser carlos.

Solution

Click a Product and Check out the Stock Checking FunctionalityCapture the request, you can see that there is a parameter called stockAPI which has an encoded stringSend the request to the decoder and click smart decode to decode the string and know that it is directing to a internal pageHere, instead of adding http://localhost/admin, we have to add the IP Address which ranges from 192.168.0.0 to 192.168.0.255 like http://192.168.0.X:8080/adminSo, send the request to Intruder, clear the payloads, then select the X in Ip address and click add.Move to payloads tab, choose numbers in payloadThen set the start value to 1 , then end to 255 and step by 1Now, start the attack then you can able to see a 200 status code in responseView the response of that request and note the IP address is http://192.168.0.24:8080/adminNow send that request with the IP we found in the repeaterNow you can able to see that the response is successful and on inspecting the code you can get the URL to delete user CarlosIf you are using a professional version, you can render the response for a better resultCopy the URL that we found on 4th step’s responseNow Paste it on the stock API Parameter to solve the Lab
Read Entire Article