1
00:00:00,650 --> 00:00:01,070
Now.

2
00:00:02,390 --> 00:00:08,100
On the modern web, web applications can request data from other applications or services.

3
00:00:08,750 --> 00:00:16,040
So what this does is it triggers requesting in between Web servers and server side request forgery or

4
00:00:16,160 --> 00:00:22,130
as a SRF vulnerabilities occur right here at this point, at this juncture.

5
00:00:23,120 --> 00:00:29,690
So if this inter server requesting is not implemented correctly and there is a correct way to do it,

6
00:00:30,110 --> 00:00:34,340
an attacker may leverage SRF to perform malicious actions.

7
00:00:35,630 --> 00:00:39,860
So somehow if an attacker can control the parameter in such a request.

8
00:00:40,710 --> 00:00:46,500
This attacker will be able to force the application to request services available through the loop back

9
00:00:46,500 --> 00:00:47,070
interface.

10
00:00:48,130 --> 00:00:55,960
So SRF attacks are generally used to target internal systems that are behind firewalls and are not necessarily

11
00:00:55,960 --> 00:00:58,600
accessible from the external network.

12
00:00:59,730 --> 00:01:00,930
All right, sounds intriguing.

13
00:01:01,470 --> 00:01:03,490
So let's have a look at how it works.

14
00:01:04,810 --> 00:01:06,760
So open up, Kelly, and log in to be Web.

15
00:01:07,970 --> 00:01:14,990
Now open a server side request forgery page from the drop down menu, and here I will display the page.

16
00:01:16,380 --> 00:01:19,290
But we've got nothing to do with this page, right?

17
00:01:19,320 --> 00:01:22,290
It just shows us the way.

18
00:01:23,830 --> 00:01:32,200
So SRF right is all about bypassing access controls and then making a request on behalf of the target

19
00:01:32,200 --> 00:01:35,040
server, in our case that'll be PAYBOX.

20
00:01:36,070 --> 00:01:43,030
So it means that we can use the target server as a proxy to request other resources on the network.

21
00:01:44,360 --> 00:01:47,780
And there are a few ways to force the target to make requests.

22
00:01:48,950 --> 00:01:57,800
RFI and XXXI are some of the ways that we can force Beatbox to bring other resources onto the network.

23
00:01:59,020 --> 00:02:01,240
So I'm going to start with RFI.

24
00:02:02,330 --> 00:02:05,930
So go to RLF, idot BHP.

25
00:02:07,270 --> 00:02:12,040
And we know there is a fire inclusion in the language parameter.

26
00:02:13,350 --> 00:02:16,440
So we can include a password file like that.

27
00:02:18,020 --> 00:02:24,710
And now we need to turn file inclusion into a mechanism that requests other resources.

28
00:02:25,050 --> 00:02:32,480
OK, for instance, we can use this payload and it will request a page on 22.

29
00:02:33,600 --> 00:02:34,350
Wait for a bit.

30
00:02:37,110 --> 00:02:44,340
And we get warnings which exposed detailed version information, right, about the SSA service on the

31
00:02:44,340 --> 00:02:48,240
system, so that way we can learn the ports and services on the system.

32
00:02:49,620 --> 00:02:53,310
OK, so I have an e-mail page in my Webroot directory.

33
00:02:55,610 --> 00:03:02,480
And the content is like that because my attacking machine, Kelly, is also on the same network as BEBACK.

34
00:03:03,720 --> 00:03:07,920
So I can include any page or resource from Kelly.

35
00:03:08,490 --> 00:03:11,760
OK, and I'm going to paste this payload.

36
00:03:14,560 --> 00:03:15,880
And you see, it works.

37
00:03:16,910 --> 00:03:18,770
So it's a simple file inclusion.

38
00:03:20,190 --> 00:03:23,910
But this time, the file is somewhere on the local network.

39
00:03:25,720 --> 00:03:27,220
OK, so go back to terminal.

40
00:03:28,500 --> 00:03:34,470
Under the evil folder, there are three text files prepared for SRF.

41
00:03:35,580 --> 00:03:36,950
I'm just going to show you the first one.

42
00:03:39,330 --> 00:03:43,620
So this code scans the network for these ports online, 28.

43
00:03:44,560 --> 00:03:45,790
Then prints the result.

44
00:03:46,730 --> 00:03:49,010
So we're going to use this file, so exit.

45
00:03:50,010 --> 00:03:51,690
And open Firefox.

46
00:03:53,680 --> 00:03:57,640
And we're going to use SRF one text like that.

47
00:03:58,950 --> 00:03:59,730
And perform.

48
00:04:01,670 --> 00:04:07,970
And it will perform a port scan on the target server box, but don't get confused.

49
00:04:08,810 --> 00:04:13,910
This file is also in the B Web directory in PAYBOX, right.

50
00:04:14,940 --> 00:04:19,560
However, I don't include it from there, I include it from Carly.

51
00:04:21,400 --> 00:04:25,450
OK, so you can change the IP to another one in a local network.

52
00:04:26,940 --> 00:04:29,400
And then you can scan it for these ports as well.

53
00:04:30,530 --> 00:04:33,680
So type one two seven zero zero one.

54
00:04:38,170 --> 00:04:39,370
Or type localhost.

55
00:04:43,360 --> 00:04:45,970
And I can scan Kelly as well.

56
00:04:49,730 --> 00:04:52,790
And look at that, only Apache is running on porteño.

57
00:04:54,580 --> 00:04:56,530
I could also scan my host.

58
00:04:57,930 --> 00:04:59,640
Wait just a bit for the results.

59
00:05:02,920 --> 00:05:04,150
OK, so here's a real.

60
00:05:05,160 --> 00:05:09,900
And I'll open these ports for this purpose and look what it discovers.

61
00:05:11,220 --> 00:05:14,370
All right, so then go back to the SS R.F. Main Page.

62
00:05:16,120 --> 00:05:22,150
All right, so the second vulnerability to request resources on the local network, I said, was x,

63
00:05:22,150 --> 00:05:27,130
x, e s o go to Xixi one that BHP.

64
00:05:28,530 --> 00:05:30,420
Then enable Foxe proxy.

65
00:05:34,610 --> 00:05:35,590
And click here.

66
00:05:36,970 --> 00:05:42,880
The request is in burb, so send the request to repeater and go to repeater.

67
00:05:45,640 --> 00:05:48,250
Send the first request to check the connection.

68
00:05:49,630 --> 00:05:52,330
All right, so we have seen the Xixi vulnerability.

69
00:05:53,270 --> 00:05:56,110
So if you type something, it will reflect it to you.

70
00:05:58,130 --> 00:06:02,840
OK, so instead of this XML data, I'm going to use this one.

71
00:06:04,990 --> 00:06:12,160
So it requests the robot text file on V box, but I write the localhost.

72
00:06:13,880 --> 00:06:20,210
So you can change this to any IP on the local network to read well and the other resources.

73
00:06:21,490 --> 00:06:27,690
I'm going to stop here, but you can go ahead and continue because the rest is an xixi attack.

74
00:06:29,000 --> 00:06:33,800
So please try and go as far as you can and to reverse in a local network.

75
00:06:34,630 --> 00:06:35,680
I know you know how.