SSRF External Service Interaction for Find Real IP CloudFlare and Leads to SQL Injection

My reaction when I find a case like this

Hello, here I just want to tell about my experience finding a real IP using CloudFlare through “SSRF External Interaction” and getting a form login for Admin and there is a SQL Injection bug.

Little Story

Previously I had also found SQLi vulnerabilities on this website but this time it felt a little interesting for me to write up, and to get SSRF up to SQLi I got it only for a few hours and not for days.

Ahhh I almost forgot, for the address of this website and some sensitive data I will delete / censor.

Enjooooyyyy

Steps to Reproduce

  1. After doing a little recon I get the endpoint (/api/resize.php?image=)

And when I use the SQLmap tool there is info that the parameter (image) may have a “File Inclusion” vulnerability, OKkkkkk here I don’t know if this is an RFI vuln? or LFI?

I tried several times regarding the LFI payload but it didn’t work, and when I tried RFI it didn’t work either :’(

2. when I want to try RFI which I will remote from my local ip but get response “Error 524”

3. Hmmm, next I will use “Burp Collaborator Client” to try SSRF External Service Interaction

Found Real IP

Annnndddd niiicceee, I got an HTTP request from an IP address that I don’t know where it came from…

4. When I open the IP address and there is a display like the website I’m testing, to make sure this is a real address or not (CloudFlare) you can use the “dig” command or via shodan.io

Using “dig” I found only 2 IP addresses starting with 104 and 172, what I got was 103

By using shodan.io

Niceeee!!!

5. If it’s still not enough, you can use the Wappalyzer extension and check the “CDN” section

Within the protection of CloudFlare & No CloudFlare protection

6. After I was sure I got the original IP from the website, I did a little recon using dirsearch and found the (/dashboard/) folder which contains the XAMPP display and has PHPinfo open

PHPinfo

7. And I also get the login page, used a bit of payload for SQLi bypass login but that didn’t work

8. There is a “Forgot Password” menu, I enter the original email and then I activate Intercept Burp to retrieve the request data

9. I added a single quote at the end of my email and got an error

10. i saved the request and then i run SQLMap and then i got what i was looking for!!!

I Love ittttt❤❤

No One Knows Who I Am