SSRF External Service Interaction for Find Real IP CloudFlare and Leads to SQL Injection

My reaction when I find a case like this

Hello, here I just want to tell about my experience finding a real IP using CloudFlare through “SSRF External Interaction” and getting a form login for Admin and there is a SQL Injection bug.

Little Story

Previously I had also found SQLi vulnerabilities on this website but this time it felt a little interesting for me to write up, and to get SSRF up to SQLi I got it only for a few hours and not for days.

Ahhh I almost forgot, for the address of this website and some sensitive data I will delete / censor.

Enjooooyyyy

Steps to Reproduce

  1. After doing a little recon I get the endpoint (/api/resize.php?image=)

And when I use the SQLmap tool there is info that the parameter (image) may have a “File Inclusion” vulnerability, OKkkkkk here I don’t know if this is an RFI vuln? or LFI?

I tried several times regarding the LFI payload but it didn’t work, and when I tried RFI it didn’t work either :’(

2. when I want to try RFI which I will remote from my local ip but get response “Error 524”

3. Hmmm, next I will use “Burp Collaborator Client” to try SSRF External Service Interaction

Found Real IP

Annnndddd niiicceee, I got an HTTP request from an IP address that I don’t know where it came from…

4. When I open the IP address and there is a display like the website I’m testing, to make sure this is a real address or not (CloudFlare) you can use the “dig” command or via shodan.io

Using “dig” I found only 2 IP addresses starting with 104 and 172, what I got was 103

By using shodan.io

Niceeee!!!

5. If it’s still not enough, you can use the Wappalyzer extension and check the “CDN” section

Within the protection of CloudFlare & No CloudFlare protection

6. After I was sure I got the original IP from the website, I did a little recon using dirsearch and found the (/dashboard/) folder which contains the XAMPP display and has PHPinfo open

PHPinfo

7. And I also get the login page, used a bit of payload for SQLi bypass login but that didn’t work

8. There is a “Forgot Password” menu, I enter the original email and then I activate Intercept Burp to retrieve the request data

9. I added a single quote at the end of my email and got an error

10. i saved the request and then i run SQLMap and then i got what i was looking for!!!

I Love ittttt❤❤

--

--

--

No One Knows Who I Am

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cryptocurrency Scammers Target Binance Users With Phishing Emails, Seek Google Authenticator Backup…

LOCAL FILE INCLUSION(LFI): AN OVERVIEW

Rugkill.com

Integrating apps with Google Smart Lock (part 1)

Tokenomy July Highlights — Tokenomy

Network-Centric Warfare: Conflict in the Information Age

Modern Application Security — Good and Bad News

Panda Dao announces presale on Unicrypt.Network

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Caesar Evan Santoso

Caesar Evan Santoso

No One Knows Who I Am

More from Medium

C.S.T.I Lead To Account Takeover $$$

Hunting for Bugs in File Upload Feature:

Session Fixation

The Tale of a Click leading to RCE