Exploitation
TODO List
Check for administration panels on the other ports
Check for internal-only funcionalities
Localhost bypass
When application allows SSRF crafting but restrict access to internal resources you can use the following list in order to bypass the proper input checks.
::1
127.0.0.1
localhost
Internal full IP
IPv6 internal full IP
Also you can try utilizing the 302 redirect to access the internal data (requires internet access from victim machine):
https://307.r3dir.me/--to/?url=http://localhost
Headless Chrome
If the SSRF function uses Headless Chrome instead of axios / curl we are able to craft the malicious site and execute malicious JavaScript.
CORS Chaining
If the application which is accessible only to the internal network has permissive CORS settings it is possible to fetch the data from the site and send it to our HTTP Server even if the SSRF is blind.
SSRF leading to Arbitrary File Read
During the SSRF exploitation we can attempt using other protocols in order to gain interesting data. In this example we can refer to the local files and read their contents:
Other interesting protocols are:
HTTP / HTTPS – most common, for accessing internal web services and metadata endpoints.
FTP – can be used to read/write files or exfiltrate data.
FTPS – same as FTP, but with SSL/TLS.
SFTP – if supported, can be abused for file access.
SMTP – sending raw emails, relaying attacks, or interacting with mail servers.
IMAP / POP3 – accessing internal mail services.
Gopher – powerful for smuggling raw TCP requests (classic SSRF trick).
DICT – dictionary protocol; can sometimes leak responses.
PHP Dangerous protocols
Also give a try PHP wrappers when you are encountering PHP application.
php:// (I/O streams, e.g., php://filter)
data:// (inline data injection)
expect:// (command execution in some configs)
Last updated