SSRF-Dns-Rebinding

https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/ssrf-dns-rebinding?ref_type=heads

Step 1: Understand the Vulnerability

External SSRF Vulnerability (index.php):
The vulnerable code in index.php takes a host parameter from the URL, checks if it resolves to 127.0.0.1 (localhost), and if it does not, makes a request to the specified host.

Internal Document (index.html):
A simple internal document served on 127.0.0.1:8080.
3. Automation Script (automation script):
The script sets up two local PHP servers:
- One serves internal documents on 127.0.0.1:8080.
- Another serves external documents on 127.0.0.1:8081.
It then opens a URL http://127.0.0.1:8081/?host=test.com, which triggers the SSRF vulnerability in index.php.

Step 2: Create and Run the Bash Script

1.Create the Bash Script: Create a file named ssrf-dns-rebinding.sh and add the provided Bash script to it.

#!/bin/bash

# Save parameter to a temporary file (if needed for other operations)
echo $1 > _tmp/strip

# Start the internal server on port 8080
php -S 127.0.0.1:8080 -t ./ssrf-dns-rebinding/internal/ &

# Start the external server on port 8081
php -S 127.0.0.1:8081 -t ./ssrf-dns-rebinding/external/ &

# Open the URL to trigger the vulnerability
open 'http://127.0.0.1:8081/?host=test.com'

# Wait for background processes to finish
wait

2.Make the Script Executable: Change the script's permissions to make it executable.

chmod +x ssrf-dns-rebinding.sh

3. Run the script:

Internal:

Extenal:

Expected Outcomes:

By running the script and observing the expected output, you demonstrate a successful SSRF with DNS Rebinding attack. The external index.php script, due to the DNS rebinding, accesses the internal document hosted on 127.0.0.1:8080, showing how an attacker can exploit this vulnerability to access internal resources.

PreviousSQL-Injection NextServer-Side Request Forgery (SSRF)

Last updated 1 year ago