SSRF External Service Interaction for Find Real IP CloudFlare and Leads to SQL Injection
Hello, here I just want to tell about my experience finding a real IP using CloudFlare through “SSRF External Interaction” and getting a form login for Admin and there is a SQL Injection bug.
Little Story
Previously I had also found SQLi vulnerabilities on this website but this time it felt a little interesting for me to write up, and to get SSRF up to SQLi I got it only for a few hours and not for days.
Ahhh I almost forgot, for the address of this website and some sensitive data I will delete / censor.
Steps to Reproduce
- After doing a little recon I get the endpoint (/api/resize.php?image=)
And when I use the SQLmap tool there is info that the parameter (image) may have a “File Inclusion” vulnerability, OKkkkkk here I don’t know if this is an RFI vuln? or LFI?
I tried several times regarding the LFI payload but it didn’t work, and when I tried RFI it didn’t work either :’(
2. when I want to try RFI which I will remote from my local ip but get response “Error 524”
3. Hmmm, next I will use “Burp Collaborator Client” to try SSRF External Service Interaction
Annnndddd niiicceee, I got an HTTP request from an IP address that I don’t know where it came from…
4. When I open the IP address and there is a display like the website I’m testing, to make sure this is a real address or not (CloudFlare) you can use the “dig” command or via shodan.io
Using “dig” I found only 2 IP addresses starting with 104 and 172, what I got was 103
By using shodan.io
5. If it’s still not enough, you can use the Wappalyzer extension and check the “CDN” section
Within the protection of CloudFlare & No CloudFlare protection
6. After I was sure I got the original IP from the website, I did a little recon using dirsearch and found the (/dashboard/) folder which contains the XAMPP display and has PHPinfo open
7. And I also get the login page, used a bit of payload for SQLi bypass login but that didn’t work
8. There is a “Forgot Password” menu, I enter the original email and then I activate Intercept Burp to retrieve the request data
9. I added a single quote at the end of my email and got an error
10. i saved the request and then i run SQLMap and then i got what i was looking for!!!
Reference
By the wayyy correct me if i wrong in the sense of this bug~
I hope you enjoyed this writeup!!! SSSSKKKKKRRRRTTTT!!!!
