.png)
3 years ago
406 BOOK THIS SPACE FOR AD
ARTICLE ADPreviously I had also found SQLi vulnerabilities on this website but this time it felt a little interesting for me to write up, and to get SSRF up to SQLi I got it only for a few hours and not for days.
Ahhh I almost forgot, for the address of this website and some sensitive data I will delete / censor.
And when I use the SQLmap tool there is info that the parameter (image) may have a “File Inclusion” vulnerability, OKkkkkk here I don’t know if this is an RFI vuln? or LFI?
I tried several times regarding the LFI payload but it didn’t work, and when I tried RFI it didn’t work either :’(
2. when I want to try RFI which I will remote from my local ip but get response “Error 524”
3. Hmmm, next I will use “Burp Collaborator Client” to try SSRF External Service Interaction
Annnndddd niiicceee, I got an HTTP request from an IP address that I don’t know where it came from…
4. When I open the IP address and there is a display like the website I’m testing, to make sure this is a real address or not (CloudFlare) you can use the “dig” command or via shodan.io
Using “dig” I found only 2 IP addresses starting with 104 and 172, what I got was 103
By using shodan.io
5. If it’s still not enough, you can use the Wappalyzer extension and check the “CDN” section
Within the protection of CloudFlare & No CloudFlare protection
6. After I was sure I got the original IP from the website, I did a little recon using dirsearch and found the (/dashboard/) folder which contains the XAMPP display and has PHPinfo open
7. And I also get the login page, used a bit of payload for SQLi bypass login but that didn’t work
8. There is a “Forgot Password” menu, I enter the original email and then I activate Intercept Burp to retrieve the request data
9. I added a single quote at the end of my email and got an error
10. i saved the request and then i run SQLMap and then i got what i was looking for!!!
Bengali (Bangladesh) · 
English (United States) ·