1
00:00:00,650 --> 00:00:01,070
‫Now.

2
00:00:02,420 --> 00:00:08,090
‫On the modern Web, Web applications can request data from other applications or services.

3
00:00:08,750 --> 00:00:16,410
‫So what this does is triggers requesting in between web servers and server side request forgery or as

4
00:00:16,430 --> 00:00:22,130
‫SRF vulnerabilities occur right here at this point, at this juncture.

5
00:00:23,150 --> 00:00:29,630
‫So if this entire server requesting is not implemented correctly and there is a correct way to do it,

6
00:00:30,110 --> 00:00:34,310
‫an attacker may leverage SRF to perform malicious actions.

7
00:00:35,630 --> 00:00:39,830
‫So somehow if an attacker can control the parameter in such a request.

8
00:00:40,740 --> 00:00:46,470
‫This attacker will be able to force the application to request services available through the loopback

9
00:00:46,470 --> 00:00:47,040
‫interface.

10
00:00:48,130 --> 00:00:55,930
‫So SRF attacks are generally used to target internal systems that are behind firewalls and are not necessarily

11
00:00:55,930 --> 00:00:58,570
‫accessible from the external network.

12
00:00:59,760 --> 00:01:00,900
‫All right, sounds intriguing.

13
00:01:00,930 --> 00:01:01,090
‫Hmm.

14
00:01:01,500 --> 00:01:03,420
‫So let's have a look at how it works.

15
00:01:04,810 --> 00:01:06,730
‫So open up, Kelly, and log in to be Web.

16
00:01:08,000 --> 00:01:14,990
‫Now open a server side request forgery page from the dropdown menu, and here I will display the page.

17
00:01:16,410 --> 00:01:19,230
‫But we've got nothing to do with this page, right?

18
00:01:19,260 --> 00:01:22,290
‫It just shows us the way.

19
00:01:23,830 --> 00:01:32,170
‫So SRF, right, is all about bypassing access controls and then making a request on behalf of the target

20
00:01:32,170 --> 00:01:35,050
‫server, in our case, that'll be Bibox.

21
00:01:36,070 --> 00:01:43,030
‫So it means that we can use the target server as a proxy to request other resources on the network.

22
00:01:44,390 --> 00:01:47,750
‫And there are a few ways to force the target to make requests.

23
00:01:48,950 --> 00:01:57,800
‫RFI and XXXI are some of the ways that we can force Bibox to bring other resources onto the network.

24
00:01:59,050 --> 00:02:01,240
‫So I'm going to start with RFI.

25
00:02:02,360 --> 00:02:05,930
‫So go to RL if I got BHP.

26
00:02:07,300 --> 00:02:12,010
‫And we know there is a fire inclusion in the language parameter.

27
00:02:13,380 --> 00:02:16,410
‫So we could include a password file like that.

28
00:02:18,050 --> 00:02:24,650
‫And now we need to turn file inclusion into a mechanism that requests other resources.

29
00:02:25,040 --> 00:02:25,490
‫OK?

30
00:02:26,720 --> 00:02:32,450
‫For instance, we can use this payload and it will request a page on Port 22.

31
00:02:33,600 --> 00:02:34,320
‫Wait for a bit.

32
00:02:37,140 --> 00:02:44,760
‫And we get warnings which expose detailed version information right about the SSA service on the system,

33
00:02:45,450 --> 00:02:48,240
‫so that way we can learn the ports and services on the system.

34
00:02:49,650 --> 00:02:53,310
‫OK, so I have an HMO page in my Web root directory.

35
00:02:55,610 --> 00:03:02,180
‫And the content is like that because my attacking machine, Kelly is also on the same network as be

36
00:03:02,180 --> 00:03:02,480
‫by.

37
00:03:03,720 --> 00:03:07,950
‫So I can include any page or resource from Kelly.

38
00:03:08,490 --> 00:03:08,870
‫OK.

39
00:03:09,810 --> 00:03:11,730
‫And I'm going to paste this payload.

40
00:03:14,590 --> 00:03:15,850
‫And you see it works.

41
00:03:16,940 --> 00:03:18,740
‫So it's a simple file inclusion.

42
00:03:20,190 --> 00:03:23,880
‫But this time the file is somewhere on the local network.

43
00:03:25,750 --> 00:03:27,190
‫OK, so go back to terminal.

44
00:03:28,530 --> 00:03:34,440
‫Under the evil folder, there are three text files prepared for SRF.

45
00:03:35,580 --> 00:03:36,930
‫I'm just going to show you the first one.

46
00:03:39,330 --> 00:03:43,590
‫So this code scans a network for these ports on Line 28.

47
00:03:44,590 --> 00:03:45,760
‫Then, Prince, the result.

48
00:03:46,730 --> 00:03:48,980
‫So we're going to use this file, so exit.

49
00:03:50,010 --> 00:03:51,660
‫And open Firefox.

50
00:03:53,710 --> 00:03:57,610
‫And I'm going to use SRF one that text like that.

51
00:03:58,950 --> 00:03:59,700
‫And perform.

52
00:04:01,700 --> 00:04:07,940
‫And it will perform a port scan on the target server box, but don't get confused.

53
00:04:08,810 --> 00:04:13,880
‫This file is also in the be web directory in B box, right?

54
00:04:14,970 --> 00:04:17,310
‫However, I don't include it from there.

55
00:04:17,880 --> 00:04:19,560
‫I include it from Kelly.

56
00:04:21,430 --> 00:04:25,450
‫OK, so you can change the IP to another one in the local network.

57
00:04:26,940 --> 00:04:29,390
‫And then you can scan it for these ports as well.

58
00:04:30,560 --> 00:04:33,680
‫So type 127.0.0.1.

59
00:04:38,200 --> 00:04:39,340
‫Or type local host.

60
00:04:43,390 --> 00:04:45,940
‫And I can scan Kelly as well.

61
00:04:49,760 --> 00:04:52,760
‫And look at that only Apache is running on Port 80 now.

62
00:04:54,610 --> 00:04:56,500
‫I could also scan my host.

63
00:04:57,930 --> 00:04:59,610
‫Wait, just a bit for the results.

64
00:05:02,950 --> 00:05:04,120
‫OK, so here's a resume.

65
00:05:05,190 --> 00:05:07,080
‫You know, open these ports for this purpose.

66
00:05:07,920 --> 00:05:09,870
‫And look what it discovers.

67
00:05:11,250 --> 00:05:14,340
‫All right, so then go back to the are off main page.

68
00:05:16,150 --> 00:05:22,660
‫All right, so the second vulnerability to request resources on the local network, I said, was x x

69
00:05:22,660 --> 00:05:27,160
‫e oh, go to exec c one dot BHP.

70
00:05:28,560 --> 00:05:30,420
‫Then enable foxy proxy.

71
00:05:34,610 --> 00:05:35,570
‫And click here.

72
00:05:37,000 --> 00:05:42,850
‫The request is in burb, so send the request to repeater, then go to repeater.

73
00:05:45,640 --> 00:05:48,250
‫Send the first request to check the connection.

74
00:05:49,660 --> 00:05:52,300
‫All right, so we have seen the excessive vulnerability.

75
00:05:53,270 --> 00:05:56,120
‫So if you type something, it will reflect it to you.

76
00:05:58,190 --> 00:06:02,810
‫OK, so instead of this XML data, I'm going to use this one.

77
00:06:04,990 --> 00:06:12,160
‫So it requests the robots that direct file on box, but I write the local host.

78
00:06:13,880 --> 00:06:20,180
‫So you can change this to any IP on the local network to read, well, any other resources.

79
00:06:21,540 --> 00:06:27,660
‫I'm going to stop here, but you can go ahead and continue because the rest is an ex sexy attack.

80
00:06:29,030 --> 00:06:33,800
‫So please try and go as far as you can and traverse in a local network.

81
00:06:34,690 --> 00:06:35,650
‫I know, you know how.