{"id":13649814,"url":"https://github.com/incredibleindishell/SSRF_Vulnerable_Lab","last_synced_at":"2025-04-22T15:31:05.244Z","repository":{"id":51311227,"uuid":"210157977","full_name":"incredibleindishell/SSRF_Vulnerable_Lab","owner":"incredibleindishell","description":"This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack","archived":false,"fork":false,"pushed_at":"2023-08-21T17:02:38.000Z","size":48175,"stargazers_count":668,"open_issues_count":2,"forks_count":175,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-11-03T05:32:39.177Z","etag":null,"topics":["attack","exploitation","hacking","lab","server-side-request-forgery","ssrf","web-security"],"latest_commit_sha":null,"homepage":"https://www.mannulinux.org","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/incredibleindishell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-09-22T14:09:41.000Z","updated_at":"2024-10-27T15:00:55.000Z","dependencies_parsed_at":"2024-01-14T12:29:49.707Z","dependency_job_id":null,"html_url":"https://github.com/incredibleindishell/SSRF_Vulnerable_Lab","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/incredibleindishell%2FSSRF_Vulnerable_Lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/incredibleindishell%2FSSRF_Vulnerable_Lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/incredibleindishell%2FSSRF_Vulnerable_Lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/incredibleindishell%2FSSRF_Vulnerable_Lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/incredibleindishell","download_url":"https://codeload.github.com/incredibleindishell/SSRF_Vulnerable_Lab/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223900372,"owners_count":17222028,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack","exploitation","hacking","lab","server-side-request-forgery","ssrf","web-security"],"created_at":"2024-08-02T02:00:26.286Z","updated_at":"2025-04-22T15:31:05.229Z","avatar_url":"https://github.com/incredibleindishell.png","language":"PHP","funding_links":[],"categories":["OWASP Top 10","PHP","PHP (184)"],"sub_categories":["Server Side Request Forgery"],"readme":"# Server-Side Request Forgery (SSRF) vulnerable Lab\nThis repository contain PHP codes which are vulnerable to Server-Side Request Forgery (SSRF) attack.\n\nI would like to say Thank You to @albinowax, AKReddy, Vivek Sir (For being great personalities who always supported me), Andrew Sir - @vanderaj (for his encouraging words) and those researchers who contirubuted in DNS rebinding attack based research \n\n![](https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/master/www/images/SSRF_Vulnerable_Lab.png)\n\nVulnerable codes are meant to demonstrate SSRF for below mentioned 5 scenarios:\n\n\u003cb\u003e 1. Application code that fetches and display the content of the specified file\u003c/b\u003e\n\nIn programming languages, there are functions which can fetch the contents of locally saved file. These functions may be capable of fetching the content from remote URLs as well local files (e.g file_get_contents in PHP).\n\nThis functionality can be abused if application is not prepending any string to the user supplied data to fetch the content from a file i.e application is not prepeding and directory name or path to the user supplied data. \n\nIn this case, these data fetching function can process the schemes like \"http://\" or \"file://\". When user specifies the remote URL in place of file name like \"http://localhost\", the data fetching function extract the data from the specified URL.\n\nIn case if application is prepending any data string (for example any directory name) to user data, \"http://\" or \"file://\" scheme won't work and exploitation of SSRF vulnerability is not possible.\n\n\u003ca href=\"https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/file_content_fetch\"\u003eGuide to Exploitation of Scenario 1\u003c/a\u003e\n\n\u003cb\u003e 2. Application provides interface to connect to Remote Host\u003c/b\u003e\n\nWeb application has interfaces that allow an user to specify the any IP with any port. Here the application has functionality which tries to connect to service like \"MySQL\", \"LDAP\" etc.\n\nApplication expects user to specify the remote server hostname/IP, username and password in input fields. Application then tries to connect to the remote server over specified port. Here in this scenario, application tries to communicate to remote service listening on specific port. When vulnerable code has functionality to connect to server like MySQL and user specified the SMB port, vulnerable application will try to communicate to SMB servie using MySQL server service packets. Even though, the port is open, we are not able to communicate to the service due to difference in way of communication.\n\nThis behaviour can be exploited to perform internal network scanning not just to enumerate IPs but Ports as well on those live IPs.\n\n\u003ca href=\"https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/Remote_host_connect_interface\"\u003eGuide to Exploitation of Scenario 2\u003c/a\u003e\n\n\u003cb\u003e 3. Application with File Download Functionality\u003c/b\u003e\n\nIn this case, an attacker can exploit this functionality to perform IP scanning inside the network where application server is hosted.\nThe function which performs the task of downloading file from server, can download file not just from local server but also from SMB path as well. This is something which can help an attacker to figure out the Windows based machines in the network.\n\nWeb application hosted on Windows OS will process the SMB path as well if file download functionality is processing user input without prepending any data.\n\n\u003ca href=\"https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/File_Download\"\u003eGuide to Exploitation of Scenario 3\u003c/a\u003e\n\n\u003cb\u003e 4. Bypassing IP blacklisting using DNS Based Spoofing\u003c/b\u003e\n\nThe script has funcionality which allow user to fetch data from remote URL. User need to specify the remote URL with any IP or domain name.\n\nThe script perform check if user has specified the input as \"localhost\", \"Internal IPs\" or \"Reserved IPs\". If domain/IP specified by user is blacklisted, script will not fetch the content and stop processing. \n\n\u003ca href=\"https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/DNS-Spoofing-based-Bypass\"\u003eGuide to Exploitation of Scenario 4\u003c/a\u003e\n\n\u003cb\u003e 5. Bypassing IP blacklisting using DNS Rebinding Technique\u003c/b\u003e\n\nApplication has implemented black listing of not just internal and private range IPs but also rsolve the user supplied domain to its IP and again perform check if resolved is black listed or not.\n\nIn this case, DNS based spoofing trick will also not work to access the content hosted on internal/Reserved IP. Application code perform domain resolution to its IP and again perform black listed IP check for the resolved IP. \n\n\u003ca href=\"https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/DNS%20Rebinding%20based%20Bypass\"\u003eGuide to Exploitation of Scenario 5\u003c/a\u003e\n\n\u003cb\u003e 6. SSRF in HTML to PDF generator script\u003c/b\u003e\n\nThis the scenrio of the web app which is using HTML to PDF generator script and passing untrusted user supplied data to HTML file which is processed by HTML to PDF generator.\n\n\u003ca href=\"https://github.com/incredibleindishell/SSRF_Vulnerable_Lab/blob/master/www/pdf_generator/\"\u003eGuide to Exploitation of Scenario 6\u003c/a\u003e\n\nOfcourse,\u003cbr\u003e\u003cb\u003e--==[[ With Love From IndiShell ]]==--\u003c/b\u003e \u003cimg src=\"https://web.archive.org/web/20140704135452/freesmileys.org/smileys/smiley-flag010.gif\"\u003e\n\n\n\n--==[[ Greetz To ]]==--\n\n\tGuru ji zero, Code breaker ICA, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,\n\tSilent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,\n\tHackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256\n\tKetan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, D2, Bikash Dash and rest of the Team INDISHELL\n\n--==[[Love to]]==--\n\n\tMy Father, my Ex Teacher, Lovey, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP\n\tMohit, Ffe, Shardhanand, Budhaoo, Hacker fantastic, Jennifer Arcuri, Thecolonial, Anurag Bhai Ji and Don(Deepika kaushik)\n\n\n## Docker\nThere is a [Dockerfile](./Dockerfile) in this repo that will spin up a vulnerable [docker](https://docker.com) image.\nTo build it, simply run `docker build -t \u003ctag\u003e .`.\nThe Apache server is running on port 80 inside the container.\nExpose it with the `-p` flag.\nRunning it with `docker run -p 9000:80 \u003ctag\u003e` will bring up a container listening on [localhost:9000](http://localhost:9000).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fincredibleindishell%2FSSRF_Vulnerable_Lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fincredibleindishell%2FSSRF_Vulnerable_Lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fincredibleindishell%2FSSRF_Vulnerable_Lab/lists"}