Server Side Request Forgery can be a very nasty bug if you have internal resources that are protected by a .htaccess file for example. SSRF might allow attackers to bypass any security mechanism that prevents a resource from being contacted by external sources such as internal admin panels or even other servers.
THE SERVER GETS ERASED EVERY 24 HOURS
First create a new folder. This is important! Call it “internal” or something similar. Create a file in there with something like “gdfohijgifodhgdfgfdg” (a random string) in there and name it “test.php”.
in the new folder, create a .htaccess file with the following content:
Order Deny,Allow
Deny from all
Allow from 172.105.55.98
Now, create a file on the server’s home directory (Not in your internal directory) with the following content. Name it anything you'd like, just remember the name for later.
<?php
if(isset($_GET['url'])){
$url = $_GET['url'];
$content = file_get_contents($url);
echo $content;
}else{
echo "<!-- TODO: Implement the ?url= method-->";
}
Go to https://hackxpert.com/Training/internal/index.php
replace internal with how you named your folder
replace index.php with the name of your secret filename inside the internal folder.
You will see something like “Forbidden” and not the contents of the file, however go to
https://hackxpert.com/Training/YOURFILE.PHP
replace YOURFILE.PHP with the filename you chose in the home FTP directory (outside of internal). You will see a comment if you inspect the source code pointing you to the url parameter.