SSRF with blacklist-based input filter | Dec 24, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: SSRF with blacklist-based input filter! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

The developer has deployed two weak anti-SSRF defenses that you will need to bypass.

Exploitation

Home page:

In the previous labs, we found that the stock check feature has a Server-Side Request Forgery(SSRF) vulnerability:

We clicked the Check stock button, it’ll send a POST request to /product/stock, with parameter stockApi, and it’s value is interesting:

URL decoded:

http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1

Now, what if I change the domain to localhost?

It gets blocked.

How about 127.0.0.1?

Same.

To bypass this filter, we can use refer to HackTricks:

Let’s use 127.1:

Hmm… Still getting blocked.

Maybe the application is checking the word admin?

If in that case, we can obfuscate that word:

Nice! We now can reach the admin panel.

Let’s delete user carlos:

We did it!

What we’ve learned:

1. SSRF with blacklist-based input filter