Introduction
This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first.
Solution
1. Goal
Delete user carlos using SSRF via open redirection.
2. Observe
2.1. Find and send “check stock” request to Repeater
Open product detail page and click Check stock button, find the request in Proxy > HTTP history and send to Repeater.
2.2. Check the “Next product” action
Notice that in product detail page, we found link called Next product. If we hover this link, in the bottom left will showed a popup link value.
notice that the link value is contain &path= parameter, we can use it to open redirection.
2.3. Now, we know
the Next product link contain path parameter, that can be used to open redirection.
3. Construct the stockApi url for admin page
the admin page url will looks like this:
/product/nextProduct?path=http://192.168.0.12:8080/admin
just copy the url from link in Next product and change the path to http://192.168.0.12:8080/admin, based on our labs instruction.
4. Check the admin page and find url deletion
the response is success when accessing the admin page.
if we scroll to bottom, we found the url for deleting user carlos. The url is http://192.168.0.12:8080/admin/delete?username=carlos
5. Delete the user Carlos
Based on prev step, we will construct url like this for deleting user carlos.
/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
Update the request and send stocksApi with this value.
And the user carlos is successfully deleted
Thanks for reading
