Routing-based SSRF

Exploitation

send any request to repeater

open burp collaborator and copy the payload

and now change the host header to the payload you copied from burp collaborator and send the request

Go back to Burp Suite’s Collaborator, and click “Poll now” for me it polled automatically

In here, we received 2 DNS lookups and 1 HTTP request.

That being said, we’re able to make the website’s middleware issue requests to an arbitrary server.

According to the lab’s background, it said:

To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete Carlos.

So, we can change the Host header’s value to 192.168.0.x. If we didn’t get “504 Gateway Timeout” HTTP status code, we found the internal admin panel:

let's send this request to intruder

when you click on start attack it will show you this warning click on ignore

click on length so we can filter the successful request

now send this request to repeater and click on follow redirection

now on the response right click -> show response in browser

copy the link and paste it in the browser

intercept the request and write carlos in the input and click on Delete user

now in repeater change the host to the ip range we get from intruder

and we have solved the challenge

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousWeb cache poisoning via ambiguous requests NextSSRF via flawed request parsing

Last updated 1 year ago

Was this helpful?