├── Dockerfile
├── Host_header
    ├── README.md
    ├── default
    └── images
    │   ├── Nginx_config.png
    │   ├── SSRF.png
    │   ├── actual_request.png
    │   └── readme.md
├── LICENSE.md
├── README.md
└── www
    ├── DNS Rebinding based Bypass
        ├── README.md
        └── images
        │   ├── DNS_Rebinding_Attack_1.png
        │   ├── DNS_Rebinding_Attack_10.png
        │   ├── DNS_Rebinding_Attack_11.png
        │   ├── DNS_Rebinding_Attack_12.png
        │   ├── DNS_Rebinding_Attack_13.png
        │   ├── DNS_Rebinding_Attack_2.png
        │   ├── DNS_Rebinding_Attack_3.png
        │   ├── DNS_Rebinding_Attack_4.png
        │   ├── DNS_Rebinding_Attack_5.png
        │   ├── DNS_Rebinding_Attack_6.png
        │   ├── DNS_Rebinding_Attack_7.png
        │   ├── DNS_Rebinding_Attack_8.png
        │   ├── DNS_Rebinding_Attack_9.png
        │   └── README.md
    ├── DNS-Spoofing-based-Bypass
        ├── README.md
        └── images
        │   ├── README.md
        │   ├── dns spoofing 1.png
        │   ├── dns spoofing 2.png
        │   ├── dns spoofing 3.png
        │   ├── dns spoofing 4.png
        │   ├── dns spoofing 5.png
        │   ├── dns spoofing 6.png
        │   └── dns spoofing 7.png
    ├── File_Download
        ├── README.md
        └── images
        │   ├── README.md
        │   ├── file_download_1.png
        │   ├── file_download_10.png
        │   ├── file_download_11.png
        │   ├── file_download_2.png
        │   ├── file_download_3.png
        │   ├── file_download_4.png
        │   ├── file_download_6.png
        │   ├── file_download_7.png
        │   ├── file_download_8.png
        │   └── file_download_9.png
    ├── Remote_host_connect_interface
        ├── README.md
        └── images
        │   ├── MySQL_Connect_1.png
        │   ├── MySQL_Connect_2.png
        │   ├── MySQL_Connect_3.png
        │   ├── MySQL_Connect_4.png
        │   ├── MySQL_Connect_5.png
        │   ├── MySQL_Connect_6.png
        │   ├── MySQL_Connect_7.png
        │   └── README.md
    ├── XML
        ├── images
        │   └── README.md
        ├── sample_upload.xml
        └── ssrf_using_xxe.xml
    ├── all.css
    ├── dns-spoofing.php
    ├── dns_rebinding.php
    ├── download.php
    ├── file_content_fetch
        ├── README.md
        └── images
        │   ├── README.md
        │   ├── file1.png
        │   ├── file2.png
        │   ├── file3.png
        │   ├── file4.png
        │   ├── file5.png
        │   └── file6.png
    ├── file_get_content.php
    ├── head.php
    ├── images
        ├── README.md
        ├── SSRF_Vulnerable_Lab.png
        ├── head.jpg
        ├── indishell.jpg
        ├── matrix2.gif
        ├── ssrf_lab.gif
        └── who.jpg
    ├── index.php
    ├── local.txt
    ├── pdf_generator
        ├── images
        │   ├── README.md
        │   ├── w1.png
        │   ├── w2.png
        │   ├── w3.png
        │   ├── w4.png
        │   ├── w5.png
        │   ├── wk1.png
        │   ├── wk2.png
        │   ├── wk3.png
        │   └── wk4.png
        ├── readme.md
        └── weasy.py
    ├── pdf_ssrf_weasyprint.php
    ├── pdf_ssrf_wkhtmltopdf.php
    ├── sql_connect.php
    └── xml_ssrf.php


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM php:7.2-apache
 2 | 
 3 | RUN apt update && apt install -y xvfb libfontconfig wkhtmltopdf build-essential python-dev python-pip python-cffi libcairo2 libpango1.0-0 libpangocairo-1.0.0 libgdk-pixbuf2.0-0 libffi-dev shared-mime-info && python2 -m pip install "weasyprint<43"
 4 | 
 5 | 
 6 | RUN docker-php-ext-install mysqli pdo pdo_mysql && docker-php-ext-enable mysqli 
 7 | RUN  chown www-data:www-data /var/www/html/
 8 | 
 9 | ADD www /var/www/html/
10 | 
11 | 
12 | EXPOSE 80
13 | CMD ["apache2ctl", "-D", "FOREGROUND"]
14 | 


--------------------------------------------------------------------------------
/Host_header/README.md:
--------------------------------------------------------------------------------
 1 | ### Description: 
 2 | 
 3 | This is a Host-header based SSRF example. In this type of SSRF, any IP/Hostname entered in the host header is parsed by the vulnerable server.
 4 | The vunerable server ends up routing the request to the specified domain/IP and retrieves the contents, returning them in the HTTP response. This type of misconfiguration can easily be exploited to exfiltrate data from sensitive locations (e.g. Internal locations, AWS metadata, local files, etc.)
 5 | 
 6 | This misconfiguration is usually seen in web servers that act like a proxy, such as Squid proxy, Nginx and Apache.
 7 | 
 8 | 
 9 | <h3>1. Install NGINX web server in Ubuntu machine:</h3>
10 | 
11 |       apt-get install nginx
12 | 
13 | <h3>2. Replace the content of below mentioned file with this <a href="https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/master/Host_header/default">NGINX web server Default file</a>:</h3>
14 | 
15 | 
16 |       /etc/nginx/site-available/default
17 | 
18 | <img src="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab/raw/master/Host_header/images/Nginx_config.png"/>
19 | 
20 | <h3>3. Reload NGINX web server using below mentioned command:</h3>
21 | 
22 |       service nginx reload
23 | 
24 | <h3>4. Server-side request forgery exploitation:</h3>
25 | 
26 | In Burp suite, send request to repeater tab and click `Send` button:
27 | 
28 | <img src="https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/master/Host_header/images/actual_request.png" />
29 | 
30 | Now, when we change the value of `Host` header with some other hostname/IP (192.168.56.104 in this case), web proxy server makes HTTP request to that host and returns HTTP response from that host: 
31 | 
32 | <img src="https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/master/Host_header/images/SSRF.png" />
33 | 
34 | ./init 0
35 | 


--------------------------------------------------------------------------------
/Host_header/default:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | server {
 4 |         listen 80 default_server;
 5 |         listen [::]:80 default_server;
 6 | 
 7 | 
 8 |         root /usr/share/nginx/html;
 9 | 
10 |         # Add index.php to the list if you are using PHP
11 |         index index.html index.htm index.nginx-debian.html;
12 | 
13 |         server_name _;
14 | 
15 |         location / {
16 |                 
17 | 
18 |                 resolver 8.8.8.8;
19 |                         default_type "";
20 |                         if ($http_host != $server_addr)
21 |                                 {
22 | 
23 |                                         proxy_pass $scheme://$http_host$uri$is_args$args;
24 |                                 }
25 | 
26 |         }
27 | 
28 |      
29 | }
30 | 
31 | 
32 | 


--------------------------------------------------------------------------------
/Host_header/images/Nginx_config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/Host_header/images/Nginx_config.png


--------------------------------------------------------------------------------
/Host_header/images/SSRF.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/Host_header/images/SSRF.png


--------------------------------------------------------------------------------
/Host_header/images/actual_request.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/Host_header/images/actual_request.png


--------------------------------------------------------------------------------
/Host_header/images/readme.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 incredibleindishell and contributors
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Server-Side Request Forgery (SSRF) vulnerable Lab
 2 | This repository contain PHP codes which are vulnerable to Server-Side Request Forgery (SSRF) attack.
 3 | 
 4 | I would like to say Thank You to @albinowax, AKReddy, Vivek Sir (For being great personalities who always supported me), Andrew Sir - @vanderaj (for his encouraging words) and those researchers who contirubuted in DNS rebinding attack based research 
 5 | 
 6 | ![](https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/master/www/images/SSRF_Vulnerable_Lab.png)
 7 | 
 8 | Vulnerable codes are meant to demonstrate SSRF for below mentioned 5 scenarios:
 9 | 
10 | <b> 1. Application code that fetches and display the content of the specified file</b>
11 | 
12 | In programming languages, there are functions which can fetch the contents of locally saved file. These functions may be capable of fetching the content from remote URLs as well local files (e.g file_get_contents in PHP).
13 | 
14 | This functionality can be abused if application is not prepending any string to the user supplied data to fetch the content from a file i.e application is not prepeding and directory name or path to the user supplied data. 
15 | 
16 | In this case, these data fetching function can process the schemes like "http://" or "file://". When user specifies the remote URL in place of file name like "http://localhost", the data fetching function extract the data from the specified URL.
17 | 
18 | In case if application is prepending any data string (for example any directory name) to user data, "http://" or "file://" scheme won't work and exploitation of SSRF vulnerability is not possible.
19 | 
20 | <a href="https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/file_content_fetch">Guide to Exploitation of Scenario 1</a>
21 | 
22 | <b> 2. Application provides interface to connect to Remote Host</b>
23 | 
24 | Web application has interfaces that allow an user to specify the any IP with any port. Here the application has functionality which tries to connect to service like "MySQL", "LDAP" etc.
25 | 
26 | Application expects user to specify the remote server hostname/IP, username and password in input fields. Application then tries to connect to the remote server over specified port. Here in this scenario, application tries to communicate to remote service listening on specific port. When vulnerable code has functionality to connect to server like MySQL and user specified the SMB port, vulnerable application will try to communicate to SMB servie using MySQL server service packets. Even though, the port is open, we are not able to communicate to the service due to difference in way of communication.
27 | 
28 | This behaviour can be exploited to perform internal network scanning not just to enumerate IPs but Ports as well on those live IPs.
29 | 
30 | <a href="https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/Remote_host_connect_interface">Guide to Exploitation of Scenario 2</a>
31 | 
32 | <b> 3. Application with File Download Functionality</b>
33 | 
34 | In this case, an attacker can exploit this functionality to perform IP scanning inside the network where application server is hosted.
35 | The function which performs the task of downloading file from server, can download file not just from local server but also from SMB path as well. This is something which can help an attacker to figure out the Windows based machines in the network.
36 | 
37 | Web application hosted on Windows OS will process the SMB path as well if file download functionality is processing user input without prepending any data.
38 | 
39 | <a href="https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/File_Download">Guide to Exploitation of Scenario 3</a>
40 | 
41 | <b> 4. Bypassing IP blacklisting using DNS Based Spoofing</b>
42 | 
43 | The script has funcionality which allow user to fetch data from remote URL. User need to specify the remote URL with any IP or domain name.
44 | 
45 | The script perform check if user has specified the input as "localhost", "Internal IPs" or "Reserved IPs". If domain/IP specified by user is blacklisted, script will not fetch the content and stop processing. 
46 | 
47 | <a href="https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/DNS-Spoofing-based-Bypass">Guide to Exploitation of Scenario 4</a>
48 | 
49 | <b> 5. Bypassing IP blacklisting using DNS Rebinding Technique</b>
50 | 
51 | Application has implemented black listing of not just internal and private range IPs but also rsolve the user supplied domain to its IP and again perform check if resolved is black listed or not.
52 | 
53 | In this case, DNS based spoofing trick will also not work to access the content hosted on internal/Reserved IP. Application code perform domain resolution to its IP and again perform black listed IP check for the resolved IP. 
54 | 
55 | <a href="https://github.com/incredibleindishell/SSRF_Vulnerable_lab/tree/master/www/DNS%20Rebinding%20based%20Bypass">Guide to Exploitation of Scenario 5</a>
56 | 
57 | <b> 6. SSRF in HTML to PDF generator script</b>
58 | 
59 | This the scenrio of the web app which is using HTML to PDF generator script and passing untrusted user supplied data to HTML file which is processed by HTML to PDF generator.
60 | 
61 | <a href="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab/blob/master/www/pdf_generator/">Guide to Exploitation of Scenario 6</a>
62 | 
63 | Ofcourse,<br><b>--==[[ With Love From IndiShell ]]==--</b> <img src="https://web.archive.org/web/20140704135452/freesmileys.org/smileys/smiley-flag010.gif">
64 | 
65 | 
66 | 
67 | --==[[ Greetz To ]]==--
68 | 
69 | 	Guru ji zero, Code breaker ICA, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,
70 | 	Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,
71 | 	Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256
72 | 	Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, D2, Bikash Dash and rest of the Team INDISHELL
73 | 
74 | --==[[Love to]]==--
75 | 
76 | 	My Father, my Ex Teacher, Lovey, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP
77 | 	Mohit, Ffe, Shardhanand, Budhaoo, Hacker fantastic, Jennifer Arcuri, Thecolonial, Anurag Bhai Ji and Don(Deepika kaushik)
78 | 
79 | 
80 | ## Docker
81 | There is a [Dockerfile](./Dockerfile) in this repo that will spin up a vulnerable [docker](https://docker.com) image.
82 | To build it, simply run `docker build -t <tag> .`.
83 | The Apache server is running on port 80 inside the container.
84 | Expose it with the `-p` flag.
85 | Running it with `docker run -p 9000:80 <tag>` will bring up a container listening on [localhost:9000](http://localhost:9000).
86 | 


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/README.md:
--------------------------------------------------------------------------------
 1 | # DNS Rebinding based Bypass 
 2 | 
 3 | Exploitation Difficulty : Medium
 4 | This is the advanced example of Server-Side Request Forgery (SSRF) attack exploitation. Application code has check for user input data and process if and only domain/IP is not black listed.
 5 | Attacker need to bypass this protection via DNS rebinding Attack. 
 6 | 
 7 | <h4><b>Issue observation and exploitation scenario</b></h4>
 8 | When application has implemented black listing of not just internal and private range IPs but also rsolve the user supplied domain to its IP and again perform check if resolved is black listed or not.
 9 | 
10 | In this case, DNS based spoofing trick will also not work to access the content hosted on internal/Reserved IP. 
11 | Application code perform domain resolution to its IP and again perform black listed IP check for the resolved IP.
12 | 
13 | 
14 | <h4><b>Vulnerable Script exploitation</b></h4>
15 | In this example, application has functionality to fetch and display the content of the remotly hosted file. Application has file "box.txt" hosted on internal URL "http://127.0.0.1/box.txt".
16 | 
17 | <h4><b>Web application default functionality</b></h4>
18 | Application code allow a user to fetch the content of remotly hosted file from an IP or Domain. 
19 | 
20 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_1.png?raw=true)
21 | 
22 | Application perform check if specified domain or IP is in blacklist or not. If Domain is not black listed, application fetch and serve the content of the remote URL.
23 | 
24 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_2.png?raw=true)
25 | 
26 | Application do not allow user to fetch the content from Internal/Reserved IP range. When user try to access the files hosted on internal IP, code perform check.
27 | 
28 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_3.png?raw=true)
29 | 
30 | Request will net get processed if user specified IP found in blacklist.
31 | 
32 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_4.png?raw=true)
33 | 
34 | Application do not relaying on IP based check. It also perform check to which IP user specified Domain name is pointing to.
35 | In this case, Domain name "b0x.mannulinux.org" is pointing to IP "127.0.0.1"
36 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_5.png?raw=true)
37 | 
38 | User trying to access the content of the file hosted on URL "127.0.0.1/box.txt" by trying DNS based Spoofing trick and ask application to fetch the content from URL "b0x.mannulinux.org". As, "b0x.mannulinux.org" is pointing to "127.0.0.1", the URL "b0x.mannulinux.org/box.txt" pointing to "127.0.0.1/box.txt"
39 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_6.png?raw=true)
40 | 
41 | Application code resolved the user specified Domain name to the IP and blacked the processing because resolved IP is in blacklist. 
42 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_7.png?raw=true)
43 | 
44 | 
45 | <h4><b>DNS Rebind Technique</b></h4>
46 | DNS Rebinding technique is the one in which Web Browser or Web Server is tricked to make request to the already resolved Domain and this time DNS return different IP then the one which was provided previously.
47 | In this attack technique, user bind a Sub-Domain to 2 different IPs or use malicious DNS server which is capable of changing the Domain IP address inbetween 2 different IPs. 
48 | 
49 | <b>Time To Live (TTL) for a DNS entry</b>
50 | 
51 | When user specify the web application sub-domain entry, user can specify the "TTL" value atleast 1 minute. This attribute instruct web server or browser that the resolved IP for the Domain will be valid of this time period only and need to make another DNS request when domain need to be accessed. 
52 | 
53 | Here, attacker will configure the both the IPs of Sub-Domain/Domain with "TTL" 1 minute. Now, DNS will server different-2 IP when web server is going to make request after difference of 1 minute due to the "TTL" and 2 IPs binded to it.
54 | 
55 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_13.png?raw=true)
56 | 
57 | This behavior will help in bypassing the security check in the code. Application code has 2 different code sections:
58 |   1) Application first code section is meant for performing the check if IP/Domain is in blacklist or not. If IP or Domain IP resloved, is in blacklist, application will stop the further processing.
59 |   
60 |   2) Second code section is the one which come in action once security check has been passed by IP/Domain. This code section perform the further functionality. In this script, code is fetching the content from the specified URL.
61 |   
62 |  <h4><b>Attack Scenario outline</b></h4>
63 |   
64 |   -> Web application expect user to specify a Domain 
65 |   
66 |  -> User specify the domain which has 2 IPs binded to it in DNS server.
67 |  
68 |  -> Application process the user request and resolve the domain to Blocked IP (127.0.0.1 in this case) and prompt with error message.
69 |  
70 |  -> User keep try to trigger same HTTP request again and again. When TTL expire for the Domain IP, Web server will resolve the IP again.
71 |  
72 |  -> Now, web server will request DNS server to resolve the IP of the domain and this time DNS return different IP which is not blacklisted (8.8.8.8).
73 |  
74 |  -> Security check will get pass and application will continue the process to fetch the content from the specified URL.
75 |  
76 |  -> Data fetching functiona will resolve the IP of the Domain and get the blacklisted IP (127.0.0.1). As now, security check has been passed, application wont stop processing and will fetch the content from the blacklisted IP.
77 |  
78 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS%20Rebinding%20based%20Bypass/images/DNS_Rebinding_Attack_12.png?raw=true) 
79 | 
80 | ./thanks
81 | 


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_1.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_10.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_11.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_12.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_13.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_2.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_3.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_4.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_5.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_6.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_7.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_8.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS Rebinding based Bypass/images/DNS_Rebinding_Attack_9.png


--------------------------------------------------------------------------------
/www/DNS Rebinding based Bypass/images/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/README.md:
--------------------------------------------------------------------------------
 1 | # DNS Based Spoofing (dns-spoofing.php)
 2 |   
 3 | The script has funcionality which allow user to fetch data from remote URL. User need to specify the remote URL with any IP or domain name.
 4 |   
 5 |   ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS-Spoofing-based-Bypass/images/dns%20spoofing%201.png?raw=true)
 6 |   
 7 | This script perform check if user has specified the input as "localhost", "Internal IPs" or "Reserved IPs". If domain/IP spcified by user is blacklisted, script will not fetch the content and stop processing.
 8 | 
 9 | <h4><b>Fetching data from remote domain</b></h4>
10 | 
11 | In below example, user spcified the remote application URL as "https://www.google.com" and script fetched the data from the URL.
12 | 
13 |  ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS-Spoofing-based-Bypass/images/dns%20spoofing%202.png?raw=true)
14 |  
15 |  <h4><b>Script behavior when user try to access blacklisted IP</b></h4>
16 |   
17 |   We have a file "box.txt" hosted on local server where script is hosted and URL is "http://127.0.0.1/box.txt"
18 |   
19 |   ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS-Spoofing-based-Bypass/images/dns%20spoofing%203.png?raw=true)
20 |  
21 |   Now, when a user try to access the file "box.txt" by specifying the URL to local IP, script perform check and block it.
22 |   
23 |   ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS-Spoofing-based-Bypass/images/dns%20spoofing%204.png?raw=true)
24 |  
25 |  Or when user try to access reserved IPs, script will block them too.
26 |  
27 |  ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS-Spoofing-based-Bypass/images/dns%20spoofing%205.png?raw=true)
28 |  
29 |  In this case, malicious user can use "DNS Based spoofing" to bind internal IP with a domain name. In DNS server, malicious user need to point the domain name to the IP which is blacklisted.
30 |  
31 |  For example, in this case user is trying to access the internal IP "127.0.0.1" and reserved IP "169.254.169.254". I created 2 enteries for the these 2 IPs and pointed the domain name "b0x.mannulinux.org", "gcp.mannulinux.org" to "internal IP" and "reserved IP" respectively.
32 |  
33 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS-Spoofing-based-Bypass/images/dns%20spoofing%206.png?raw=true)
34 |  
35 | In above example, nslookup command is showing that domain "box.mannulinux.org" is pointing to IP "127.0.0.1". 
36 | 
37 | Now, attacker can trick script to access locally hosted file "box.txt" by specifying the URL like "http://b0x.mannulinux.org/box.txt".
38 | When script will perform check, domain "box.mannulinux.org" is not part of blacklist and will proceed for fetching content of the file "box.txt" from from domain "b0x.mannulinux.org".
39 | 
40 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/DNS-Spoofing-based-Bypass/images/dns%20spoofing%207.png?raw=true)
41 |  
42 | This is how an attacker can bypass the weakly implemented Domain/IP blacklisting.
43 | 
44 | ./Thanks 
45 | 


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/images/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/images/dns spoofing 1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS-Spoofing-based-Bypass/images/dns spoofing 1.png


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/images/dns spoofing 2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS-Spoofing-based-Bypass/images/dns spoofing 2.png


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/images/dns spoofing 3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS-Spoofing-based-Bypass/images/dns spoofing 3.png


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/images/dns spoofing 4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS-Spoofing-based-Bypass/images/dns spoofing 4.png


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/images/dns spoofing 5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS-Spoofing-based-Bypass/images/dns spoofing 5.png


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/images/dns spoofing 6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS-Spoofing-based-Bypass/images/dns spoofing 6.png


--------------------------------------------------------------------------------
/www/DNS-Spoofing-based-Bypass/images/dns spoofing 7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/DNS-Spoofing-based-Bypass/images/dns spoofing 7.png


--------------------------------------------------------------------------------
/www/File_Download/README.md:
--------------------------------------------------------------------------------
 1 | # SSRF in File Download Functionality 
 2 | 
 3 | <b>Diffeculty Level: Easy</b>
 4 | 
 5 | Web application has file download functionality which expect file name as user input. Application process the file name specified by the user and search it in the internal directory. Application fecth the content of the file and prompt user with file download message box.
 6 | 
 7 | <h4><b>Issue observation and exploitation scenario</b></h4>
 8 |  In this case, an attacker can exploit this functionality to perform IP scanning inside the network where application server is hosted. 
 9 | 
10 | The function which performs the task of downloding file from server, can download file not just from local server but also from <b>SMB</b> path as well. This is something which can help an attacker to figureout the windows based machines in the network. 
11 | 
12 | Web application hosted on Windows OS will process the SMB path as well if file download functionality is processing user input without prepending any data.
13 | 
14 | There will be three possible observations in this case:
15 |     
16 |     1). Live IP with open SMB port
17 |     2). IP is live but port is closed
18 |     3). IP itself is not live
19 | 
20 | <b>Live IP with open SMB port</b> In this case, web application will try to access the default admin share "IPC$" via SMB and remote server will ask for credentials. As application triggered request without credendials, remote IP will stop processing the file download request and web application will return HTTP response in some specific time period. Note the HTTP response time.
21 | 
22 | <b>IP is live but port is not closed</b> In this case, web application will try to access the port of the IP. Here, IP is live but port is not open. Web application will try to establish connection to the closed port which result in rises of "Connection Refused" error message. For this situation, web application will return HTTP response in some specific time period. Note the HTTP response time. The response time period will be more than the time period from above case. 
23 | 
24 | <b>IP itself is not live</b> In this case, web application will try to establish communication to the IP which is not live. Here, IP itself is not live. Web application will try to establish communication to the IP which result in rises of "Host has failed to respond" error message. For this situation, web application will have take huge time to respond. This behavior will indicate that remote IP is not live
25 | 
26 | <b>How to figureout the time difference for different-2 test case</b>
27 | 
28 | To get the time difference for the case when IP is live with closed port, try with "Burp Collaborator" server. Collaborator server dont have SMB port open on it. But if application is hosted inside the network which is not allowing routing of SMB traffic outside the network, trick wont work. In this case, try to download "hosts" or "web.config" file from server and get internal IPs.
29 | 
30 | To get the time difference for the case when IP itself is not live, specify an IP which is not live at all. Note the HTTP response time period and use the observed time value to figureout the dead IPs in your result while perfoming the testing. 
31 | 
32 | <h4><b>Web application default functionality</b></h4>
33 | Web application has file download functionality which allow user to download file from server. If file is not present, application prompt with error message that "File not found". 
34 | 
35 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_1.png?raw=true)
36 | 
37 | Web browser prompt user with file donwload message box
38 | 
39 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_2.png?raw=true)
40 | 
41 | Confirm whether application is prepending any data to user specified value or not because it is important to perform SSRF exploitation. If application is prepending any data to user input, application will not accept full path to the system internal file and user will not get any file download message box.
42 | 
43 | To confirm if application is not prepending any data to user input, try to download system file which will be there in Windows machine for sure. One such file is "hosts" inside the diectory "c:/windows/system32/drivers/etc/".
44 | 
45 | Specified the internal path to file "hosts" in inout field which is "c:/windows/system32/drivers/etc/hosts" and try to download.
46 | 
47 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_3.png?raw=true)
48 | 
49 | Application is processing user specified file path and not prepending any data to it.
50 | 
51 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_4.png?raw=true)
52 | 
53 | Now, we can go for the exploitation. An attacker can specify the SMB path to internal IP with "IPC$" admin share and random file name inside the share. 
54 | 
55 | The payload will be like this "\\\\Internal_IP\IPC$\box.txt". 
56 | Specify the SMB path to an IP which has Windows OS runnning on it. In the environment, there was one Windows machine with SMB port open.
57 | 
58 | <b>Case 1: Live IP with Open SMB port</b>
59 | 
60 | IP of the machine which is hosted inside the network and has SMB port on it.
61 | 
62 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_8.png?raw=true)
63 | 
64 | Web application response time behavior for the case when IP is live and port 445 is open was osbeerved like this
65 | 
66 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_9.png?raw=true)
67 | 
68 | <b>Case 2: IP is Live but port is closed</b>
69 | 
70 | In network, there may be IPs which are live but SMB port is not live. For those IPs, application response will be different as IP is live but SMB port is not open. Application keep trying to comunicate to the IP on port 445. Due to this process application HTTP response time will be different
71 | 
72 | There was an IP which is Live and running Linux OS with SMB port closed.
73 | 
74 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_10.png?raw=true)
75 | 
76 | Web application response time behavior for the case when IP is live and port 445 is cloased was observed like this
77 | 
78 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_11.png?raw=true)
79 | 
80 | 
81 | <b>Case 3: IP itself is not live</b>
82 | 
83 | In network, there may be IPs which are not live. For those IPs, application response will be different as IP is not live and application keep trying to comunicate to the IP. In this case application HTTP response will have huge difference then the one in which IP was live.
84 | 
85 | There was an IP which as not Live in the environment.
86 | 
87 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_6.png?raw=true)
88 | 
89 | Web application response time behavior for the case when IP is not live was observed like this
90 | 
91 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/File_Download/images/file_download_7.png?raw=true)
92 | 
93 | ./Thanks
94 | 


--------------------------------------------------------------------------------
/www/File_Download/images/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_1.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_10.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_11.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_2.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_3.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_4.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_6.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_7.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_8.png


--------------------------------------------------------------------------------
/www/File_Download/images/file_download_9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/File_Download/images/file_download_9.png


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/README.md:
--------------------------------------------------------------------------------
 1 | # Application provide interface to connect to Remote Host
 2 | 
 3 | <b>Exploitation Difficulty : Easy</b><br>
 4 | This is the simple level Server-Side Request Forgery (SSRF) vulnerability scenario. In such type of case, application will have interface which allow user to specify the remote hostname/IP.
 5 | 
 6 | 
 7 | <b>Issue observation and exploitation scenario</b><br>
 8 | Web application has interface allow an user to specify the any IP with any port. Here application may have functionality like, it try to connect to service like "MySQL", "LDAP" etc.
 9 | 
10 | Application expect user to specify the remote server hostname/IP, username and password in  input fields. Application try to connect to the remote server over specified port.
11 | Here, application try to communicate to remote service listening on specific port. 
12 | When vulnerable code has functionality to connect to server like MySQL and user specified the SMB port, vulnerable application will try to communicate to SMB servie using MySQL server service packets.
13 | Now, port is open, but services are not able to communicate due to difference in way of communication. 
14 | 
15 | This behaviour can be exploited to perform internal network scanning not just to enumerate IPs but Ports as well on those live IPs.
16 | 
17 | In this example, script try to connect to remote SQL server. 
18 | 
19 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/Remote_host_connect_interface/images/MySQL_Connect_1.png?raw=true)
20 | 
21 | Following 3 type of behavior will be obsered in this case whicn are following:
22 | 
23 | 1)	If remote IP is not having port open, script shows error message "No connection could be made because the target machine actively refused it".
24 | 2)	If remote IP is having port open on it but SQL server is not listening on it, script shows error message "SQL server has gone away".
25 | 3)	If remote IP does not exist, script throws error message "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." 
26 | 
27 | <b>Case 1: IP is live and Port is open</b>
28 | 
29 | In this case, remote IP is up and port is open. So when application try to communicate to the service on the remote IP port, application script feels that Port is open but service is not responding. Due to this observation, application script trigger message such as "Service has gone down".
30 | 
31 | Specified the SMB port along local IP
32 | 
33 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/Remote_host_connect_interface/images/MySQL_Connect_2.png?raw=true)
34 | 
35 | Application vulnerable code response will print message "Service Gone" which indicate "SMB" port was open on local machine.
36 | 
37 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/Remote_host_connect_interface/images/MySQL_Connect_3.png?raw=true)
38 | 
39 | <b>Case 2: IP is live and Port is Closed</b>
40 | 
41 | In this case, remote IP is up but port is closed. So when application try to communicate to the service on the remote IP port, application script keep trying to connect to the port, take much time and finally connection timeout happens. Due to this observation, application script print message like "Connection refused".
42 | 
43 | Specified the random port which is not open along local IP
44 | 
45 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/Remote_host_connect_interface/images/MySQL_Connect_4.png?raw=true)
46 | 
47 | Application vulnerable code response indicate that random port was not open on local machine.
48 | 
49 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/Remote_host_connect_interface/images/MySQL_Connect_5.png?raw=true)
50 | 
51 | <b>Case 3: IP is not live </b>
52 | 
53 | In this case, remote IP itself is not live. So when application try to communicate to the service on the remote IP port, application script keep trying to  establish connection to remote IP, take more time  than case 2 and finally connection timeout happens. Due to this observation, application script print message like "Third party not responding" which indicate that IP is not live.
54 | 
55 | Specified the SMB port along remote IP which is not live on network
56 | 
57 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/Remote_host_connect_interface/images/MySQL_Connect_6.png?raw=true)
58 | 
59 | Application vulnerable code response indicate that Remote IP is not live.
60 | 
61 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/Remote_host_connect_interface/images/MySQL_Connect_7.png?raw=true)
62 | 
63 | ./Thanks
64 | 
65 | 


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/images/MySQL_Connect_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/Remote_host_connect_interface/images/MySQL_Connect_1.png


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/images/MySQL_Connect_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/Remote_host_connect_interface/images/MySQL_Connect_2.png


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/images/MySQL_Connect_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/Remote_host_connect_interface/images/MySQL_Connect_3.png


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/images/MySQL_Connect_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/Remote_host_connect_interface/images/MySQL_Connect_4.png


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/images/MySQL_Connect_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/Remote_host_connect_interface/images/MySQL_Connect_5.png


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/images/MySQL_Connect_6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/Remote_host_connect_interface/images/MySQL_Connect_6.png


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/images/MySQL_Connect_7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/Remote_host_connect_interface/images/MySQL_Connect_7.png


--------------------------------------------------------------------------------
/www/Remote_host_connect_interface/images/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/www/XML/images/README.md:
--------------------------------------------------------------------------------
1 | POC images for the vunerability demo.
2 | 


--------------------------------------------------------------------------------
/www/XML/sample_upload.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 |  <crew>
 3 |    <member id="member1">
 4 |       <name>Edward Newgate</name>
 5 |       <title>Captain</title>
 6 |       <fruit>Gura-Gura no-mi</fruit>
 7 |       <power>A "Quake Man".</power>
 8 |    </member>
 9 |    <member id="member2">
10 | 	  <name>Marco - The Phoenix</name>
11 |       <title>First Division Commander</title>
12 |       <fruit>Mythical Zoan type</fruit>
13 |       <power>Can transform into a phoenix.</power>
14 |    </member>
15 |    <member id="member3">
16 | 	  <name>Fire fist - Ace </name>
17 |       <title>Second Division Commander</title>
18 |       <fruit>Mera Mera no Mi</fruit>
19 |       <power>Can create, control, and transform into fire at will.</power>
20 |    </member>
21 | </crew>
22 | 


--------------------------------------------------------------------------------
/www/XML/ssrf_using_xxe.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 |  <!DOCTYPE foo [  
 3 |   <!ELEMENT foo ANY >
 4 |   <!ENTITY xxe SYSTEM "http://127.0.0.1/config.json" >]>
 5 |  <crew>
 6 |    <member id="member1">
 7 |       <name>Edward Newgate</name>
 8 |       <title>Captain</title>
 9 |       <fruit>&xxe;</fruit>
10 |       <power>A "Quake Man".</power>
11 |    </member>
12 |    <member id="member2">
13 | 	  <name>Marco - The Phoenix</name>
14 |       <title>First Division Commander</title>
15 |       <fruit>Mythical Zoan type</fruit>
16 |       <power>Can transform into a phoenix.</power>
17 |    </member>
18 |    <member id="member3">
19 | 	  <name>Fire fist - Ace </name>
20 |       <title>Second Division Commander</title>
21 |       <fruit>Mera Mera no Mi</fruit>
22 |       <power>Can create, control, and transform into fire at will.</power>
23 |    </member>
24 | </crew>
25 | 


--------------------------------------------------------------------------------
/www/all.css:
--------------------------------------------------------------------------------
  1 | body {
  2 | 	background: url(images/head.jpg);
  3 | 	background-size: 100% 700px;
  4 |     background-repeat: no-repeat;
  5 | font-family: Tahoma;
  6 | color: white;
  7 | 
  8 | }
  9 | .side-pan {
 10 |    margin: 0;
 11 |    border:0px;
 12 |    
 13 |    width:200px;
 14 |    padding: 5px 23px;
 15 |    margin:0px;
 16 |    -webkit-border-radius: 0px;
 17 |    -moz-border-radius: 0px;
 18 |    border-radius: 0px;
 19 |    border-bottom: 1px solid black;
 20 |    color: white;
 21 |    font-size: 20px;
 22 |    font-family: Georgia, serif;
 23 |    text-decoration: none;
 24 |    vertical-align: left;
 25 |    align:left;
 26 |    }
 27 |    div#left {
 28 |     width: 100%;
 29 |     height: 50px;
 30 |     float: left;
 31 | 	}
 32 | div#right {
 33 |     margin-left: 20%;
 34 |     height: 50px;
 35 | 	color: white;
 36 |     font-size: 20px;
 37 |     font-family: Georgia, serif;
 38 | 	}
 39 | .main div {
 40 |   float: left;
 41 |   clear: none; 
 42 | 	}
 43 | 
 44 | input {
 45 | border			: solid 2px ;
 46 | border-color		: black;
 47 | BACKGROUND-COLOR: #444444;
 48 | font: 8pt Verdana;
 49 | color: white;
 50 | }
 51 | submit {
 52 | BORDER:  buttonhighlight 2px outset;
 53 | BACKGROUND-COLOR: Black;
 54 | width: 30%;
 55 | color: #FFF;
 56 | }
 57 | #t input[type=\'submit\']{
 58 | 	COLOR: White;
 59 | 	border:none;
 60 | 	BACKGROUND-COLOR: black;
 61 | }
 62 | #t input[type=\'submit\']:hover {
 63 | 	
 64 | 	BACKGROUND-COLOR: #ff9933;
 65 | 	color: black;
 66 | 	
 67 | }
 68 | tr {
 69 | BORDER: dashed 1px #333;
 70 | color: #FFF;
 71 | }
 72 | td {
 73 | BORDER: dashed 0px ;
 74 | }
 75 | .table1 {
 76 | BORDER: 0px Black;
 77 | BACKGROUND-COLOR: Black;
 78 | color: #FFF;
 79 | }
 80 | .td1 {
 81 | BORDER: 0px;
 82 | BORDER-COLOR: #333333;
 83 | font: 7pt Verdana;
 84 | color: Green;
 85 | }
 86 | .tr1 {
 87 | BORDER: 0px;
 88 | BORDER-COLOR: #333333;
 89 | color: #FFF;
 90 | }
 91 | table {
 92 | BORDER: dashed 2px #333;
 93 | BORDER-COLOR: #333333;
 94 | BACKGROUND-COLOR: #191919;;
 95 | color: #FFF;
 96 | }
 97 | textarea {
 98 | border			: dashed 2px #333;
 99 | BACKGROUND-COLOR: Black;
100 | font: Fixedsys bold;
101 | color: #999;
102 | }
103 | A:link {
104 | border: 1px;
105 | 	COLOR: red; TEXT-DECORATION: none
106 | }
107 | A:visited {
108 | 	COLOR: red; TEXT-DECORATION: none
109 | }
110 | A:hover {
111 | 	color: White; TEXT-DECORATION: none
112 | }
113 | A:active {
114 | 	color: white; TEXT-DECORATION: none
115 | }


--------------------------------------------------------------------------------
/www/dns-spoofing.php:
--------------------------------------------------------------------------------
  1 | <?php 
  2 | 
  3 | include('head.php');
  4 | 
  5 | echo '<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
  6 | 		<tr>
  7 | 		<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">
  8 | 		<td align=right style="padding:0px; border:0px; margin:0px;">
  9 | 				<input type=submit name=home value="Home" class="side-pan">
 10 | 		</td>
 11 | 		<td  align=right style="padding:0px; border:0px; margin:0px;" >
 12 | 				<input type=submit name=load value="Load File" class="side-pan">
 13 | 		</td>
 14 | 		
 15 | 		<td  align=left style="padding:0px; border-width:0px; margin:0px;">
 16 | 				<input type=submit name=us value="Who we are" class="side-pan">
 17 | 		</td>
 18 | 				</form></tr></table></div></div>
 19 | 				<div id="right"></div><div align=center>';	
 20 | 				
 21 | if(isset($_POST['home']))
 22 | {
 23 | 	
 24 | 	echo '<br><br><font size=5>This Lab is just to demonstrate how SSRF can be exploited to perform reading files/remote URLs';
 25 | 	
 26 | }
 27 | 
 28 | if(isset($_POST['load']))
 29 | {
 30 | 	
 31 | 	echo '
 32 |    <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
 33 |    <tr><td align=center style="padding: 10px;" >
 34 | 	<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">Specify the file name: <input type=text name=file value=local.txt><br><br><input type=submit name=read value="load file"></form>
 35 | 
 36 |    </td></tr></table>
 37 |    <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="margin:10px 2px 10px;opacity: 0.6;" >';
 38 | 
 39 | }  
 40 | if(isset($_POST['read']))
 41 | {
 42 | 
 43 | 
 44 | $file=strtolower($_POST['file']);
 45 | 
 46 | if(strstr($file, 'localhost') == false && preg_match('/(^https*:\/\/[^:\/]+)/', $file)==true)
 47 |   {
 48 |   
 49 | 	$host=parse_url($file,PHP_URL_HOST);
 50 | 	
 51 | 	if(filter_var($host, FILTER_VALIDATE_IP)) 
 52 | 		{
 53 | 			if(filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE |  FILTER_FLAG_NO_RES_RANGE)== false) 
 54 | 				{
 55 | 					
 56 | 					echo '
 57 | 						   <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
 58 | 						   <tr><td align=center style="padding: 10px;" >
 59 | 							The provided IP is from Private range and hence not allowed
 60 | 
 61 | 						   </td></tr></table>
 62 | 						   <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="margin:10px 2px 10px;opacity: 0.6;" >';
 63 | 				}
 64 | 			else 
 65 | 				{
 66 | 					echo '<textarea rows=20 cols=60>'.file_get_contents($file)."</textarea>";
 67 | 				}
 68 | 		}
 69 | 	else 
 70 | 		{
 71 | 			echo '<textarea rows=20 cols=60>'.file_get_contents($file)."</textarea>";
 72 | 		}
 73 |   
 74 |   }
 75 |   
 76 |   elseif(strstr(strtolower($file), 'localhost') == true && preg_match('/(^https*:\/\/[^:\/]+)/', $file)==true) 
 77 | 	{
 78 | 		echo '
 79 | 		<table width="30%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
 80 | 						   <tr><td align=center style="padding: 10px;" >
 81 | 							Tyring to access Localhost o_0 ? 
 82 | 
 83 | 						   </td></tr></table>
 84 | 						   <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="margin:10px 2px 10px;opacity: 0.6;" >';
 85 | 	}
 86 |   
 87 |   else 
 88 | 	{
 89 | 		echo '<textarea rows=20 cols=60>'.file_get_contents($file)."</textarea>";
 90 | 	}
 91 | 	
 92 | 	
 93 | 	
 94 | 	
 95 | } 
 96 | 
 97 | if(isset($_POST['us']))
 98 | 	{
 99 | 		echo '
100 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" style=" border:0px;background-color: #191919; opacity: 0.6;" >
101 | 			
102 |        <tr><td 
103 |         align="center"><img src="images/who.jpg"></td><td 
104 |          align="center" valign="top" rowspan="1"><font 
105 |         color="red" face="comic sans ms"size="1"><br><font color=white >
106 |         --==[[Greetz to]]==--</font><br> <font color=#ff9933>Zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, Local root indishell, Irfninja indishell<br>Reborn India, L0rd Crus4d3r, cool toad, Hackuin, Alicks, Gujjar PCP, Bikash, Dinelson Amine, Th3 D3str0yer, SKSking, rad paul, Godzila, mike waals, zoo zoo, cyber warrior, shafoon, Rehan manzoor<br>cyber gladiator,7he Cre4t0r, Cyber Ace, Golden boy INDIA, Ketan Singh, Yash, Aneesh Dogra, AR AR, saad abbasi, hero, Minhal Mehdi, Raj bhai ji, Hacking queen and rest of TEAM INDISHELL<br>
107 | <font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP,
108 | Mohit, Ffe, Ashish, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) <br><br>
109 |        
110 | 						
111 |            </table>
112 |        </table> 
113 | '; 
114 | 	}
115 | 
116 | ?>
117 | 
118 | 
119 | 


--------------------------------------------------------------------------------
/www/dns_rebinding.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /*This code is copied from 33c3ctf CTF*/
  3 | function get_contents($url) {
  4 | 	$disallowed_cidrs = [ "127.0.0.1/24", "169.254.0.0/16", "0.0.0.0/8" ];
  5 | 	$url_parts = parse_url($url);
  6 | 
  7 | 		if (!array_key_exists("host", $url_parts)) { die("<p><h3 style=color:red>There was no host in your url!</h3></p>"); }
  8 | 	echo '<table width="40%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;"> 
  9 | 			  <tr><td align=center style="padding: 10px;" >Domain: - '.$host = $url_parts["host"].'';
 10 | 
 11 | 		if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
 12 | 			$ip = $host;
 13 | 		} else {
 14 | 			$ip = dns_get_record($host, DNS_A);
 15 | 			if (count($ip) > 0) {
 16 | 				$ip = $ip[0]["ip"];
 17 | 				echo "<br>Resolved to IP: - {$ip}<br>";
 18 | 				
 19 | 			} else {
 20 | 				die("<br>Your host couldn't be resolved man...</h3></p>");
 21 | 			}
 22 | 		}
 23 | 
 24 | 		foreach ($disallowed_cidrs as $cidr) {
 25 | 			if (in_cidr($cidr, $ip)) {
 26 | 				die("<br>That IP is a blacklisted cidr ({$cidr})!</h3></p>"); // Stop processing if domain reolved to private/reserved IP
 27 | 			}
 28 | 		}
 29 | 				
 30 | 		
 31 | 		echo "<br>Domain IP is not private, Here goes the data fetched from remote URL<br> </td></tr></table>";
 32 | 		echo "<br><textarea rows=10 cols=50>".file_get_contents($url)."</textarea>";
 33 | 	
 34 | }
 35 | 
 36 | function in_cidr($cidr, $ip) {
 37 | 	list($prefix, $mask) = explode("/", $cidr);
 38 | 
 39 | 	return 0 === (((ip2long($ip) ^ ip2long($prefix)) >> $mask) << $mask);
 40 | }
 41 | 
 42 | 
 43 | echo '
 44 | <title>--==[[ DNS Rebinding Attack ]]==--</title>
 45 | <link href="all.css" rel="stylesheet" type="text/css" />
 46 | 
 47 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.7;border:0px;" >
 48 | 			
 49 |        <td width="100%" align=center valign="top" rowspan="1">
 50 | 	    <font  color=#ff9933  size="-2"> 
 51 |         ##################################################</font><font color=white size="-2">###################################################</font><font color=green size="-2">##################################################</font><br>
 52 |            <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ DNS Rebinding </font><font color=white size=5 face="comic sans ms"><b>  SSRF </font><font color=green size=5 face="comic sans ms"><b> Vulnerable Code ]]==--</font><br>
 53 | 		   <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[</b> With Love</font><font color=white size=5 face="comic sans ms"><b> From  Team </font><font color=green size=5 face="comic sans ms">IndiShell <b>]]==--</font>
 54 | 		   <div class="hedr"> 
 55 |         <td height="10" align="left" class="td1"></td></tr><tr><td 
 56 |         width="100%" align="center" valign="top" rowspan="1">
 57 | 		 <font  color=#ff9933  size="1"> 
 58 |         ##################################################</font><font color=white size="1">###################################################</font><font color=green size="1">##################################################</font>
 59 |         <font 
 60 |          color="red" face="comic sans ms"size="1"><br><font color=white >
 61 |         --==[[Greetz to]]==--</font><br> <font color=#ff9933>Zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, Local root indishell, Irfninja indishell<br>Reborn India, L0rd Crus4d3r, cool toad, Hackuin, Alicks, Gujjar PCP, Bikash, Dinelson Amine, Th3 D3str0yer, SKSking, rad paul, Godzila, mike waals, zoo zoo, cyber warrior, shafoon, Rehan manzoor<br>cyber gladiator,7he Cre4t0r, Cyber Ace, Golden boy INDIA, Ketan Singh, Yash, Aneesh Dogra, AR AR, saad abbasi, hero, Minhal Mehdi, Raj bhai ji, Hacking queen and rest of TEAM INDISHELL<br>
 62 | <font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP,
 63 | Mohit, Ffe, Ashish, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)<br>
 64 |        </font>
 65 |         </font>
 66 |          
 67 |         <font  color=#ff9933  size="1"> 
 68 |         ##################################################</font><font color=white size="1">###################################################</font><font color=green size="1">##################################################</font>
 69 |            </table>
 70 |        </table> 
 71 | 
 72 | '; 
 73 | 
 74 | echo '<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
 75 | 		<tr>
 76 | 		<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">
 77 | 		<td align=right style="padding:0px; border:0px; margin:0px;">
 78 | 				<input type=submit name=home value="Home" class="side-pan">
 79 | 		</td>
 80 | 		<td  align=right style="padding:0px; border:0px; margin:0px;" >
 81 | 				<input type=submit name=load value="Load Remote File" class="side-pan">
 82 | 		</td>
 83 | 		</form></tr></table></div></div>
 84 | 				<div id="right"></div><div align=center>';	
 85 | 
 86 | 	if(isset($_POST['load']))
 87 | {
 88 | 	
 89 | 	echo '
 90 |    <table width="40%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
 91 |    <tr><td align=center style="padding: 10px;" >
 92 | 	<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">Specify the Remote file URL: <input type=text style="width:250px;" name=file value=http://remote_server/file.txt><br><br><input type=submit name=read value="load file"></form>
 93 | 
 94 |    </td></tr></table>
 95 |    <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="margin:10px 2px 10px;opacity: 0.6;" >';
 96 | 
 97 | }  
 98 | 
 99 | if(isset($_POST['read']))
100 | {
101 | 
102 | 
103 | $file=strtolower($_POST['file']);
104 | 			
105 | if(strstr($file, 'localhost') == false && preg_match('/(^https*:\/\/[^:\/]+)/', $file)==true)
106 |   {
107 |   
108 | 	get_contents($file);
109 |   
110 |   }
111 |   elseif(strstr(strtolower($file), 'localhost') == true && preg_match('/(^https*:\/\/[^:\/]+)/', $file)==true) 
112 | 	{
113 | 		echo '
114 | 		<table width="30%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
115 | 						   <tr><td align=center style="padding: 10px;" >
116 | 							Dear Nigga, Trying to access Localhost o_0 ? 
117 | 
118 | 						   </td></tr></table>
119 | 						   <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="margin:10px 2px 10px;opacity: 0.6;" >';
120 | 	}
121 | 
122 | }
123 | 
124 | ?>
125 | 


--------------------------------------------------------------------------------
/www/download.php:
--------------------------------------------------------------------------------
  1 | <?php 
  2 | function file_download($download)
  3 | {
  4 | 	if(file_exists($download))
  5 | 				{
  6 | 					header("Content-Description: File Transfer"); 
  7 | 					
  8 | 					header('Content-Transfer-Encoding: binary');
  9 | 					header('Expires: 0');
 10 | 					header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
 11 | 					header('Pragma: public');
 12 | 					header('Accept-Ranges: bytes');
 13 | 					header('Content-Disposition: attachment; filename="'.basename($download).'"'); 
 14 | 					header('Content-Length: ' . filesize($download));
 15 | 					header('Content-Type: application/octet-stream'); 
 16 | 					ob_clean();
 17 | 					flush();
 18 | 					readfile ($download);
 19 | 				}
 20 | 				else
 21 | 				{
 22 | 				echo "<script>alert('file not found');</script>";	
 23 | 				}
 24 | 	
 25 | }
 26 | if(isset($_POST['download']))
 27 | {
 28 | 
 29 | $file=trim($_POST['file']);
 30 | 
 31 | file_download($file);
 32 | 
 33 | }
 34 | 
 35 | 
 36 | 
 37 | 
 38 | 
 39 | include('head.php');
 40 | 
 41 | echo '<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
 42 | 		<tr>
 43 | 		<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">
 44 | 		<td align=right style="padding:0px; border:0px; margin:0px;">
 45 | 				<input type=submit name=home value="Home" class="side-pan">
 46 | 		</td>
 47 | 		<td  align=right style="padding:0px; border:0px; margin:0px;" >
 48 | 				<input type=submit name=load value="Download File" class="side-pan">
 49 | 		</td>
 50 | 		
 51 | 		<td  align=left style="padding:0px; border-width:0px; margin:0px;">
 52 | 				<input type=submit name=us value="Who we are" class="side-pan">
 53 | 		</td>
 54 | 				</form></tr></table></div></div>
 55 | 				<div id="right"></div><div align=center>';
 56 | 
 57 | if(isset($_POST['home']))
 58 | {
 59 | 	
 60 | 	echo '<br><br><font size=5>This Lab is just to demonstrate how SSRF can be exploited when application has file download functionality';
 61 | 	
 62 | 	
 63 | }
 64 | 
 65 | if(isset($_POST['load']))
 66 | {
 67 | 	
 68 | 	echo '
 69 |    <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
 70 |    <tr><td align=center style="padding: 10px;" >
 71 | 	<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">Specify the file name to download: <input type=text name=file value=local.txt><br><br><input type=submit name=download value="Donwload file"></form>
 72 | 
 73 |    </td></tr></table>
 74 |    <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="margin:10px 2px 10px;opacity: 0.6;" >';
 75 | 
 76 | }  
 77 | 
 78 | 
 79 | if(isset($_POST['us']))
 80 | 	{
 81 | 		echo '
 82 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" style=" border:0px;background-color: #191919; opacity: 0.6;" >
 83 | 			
 84 |        <tr><td 
 85 |         align="center"><img src="images/who.jpg"></td><td 
 86 |          align="center" valign="top" rowspan="1"><font 
 87 |         color="red" face="comic sans ms"size="1"><br><font color=white >
 88 |         --==[[Greetz to]]==--</font><br> <font color=#ff9933>Zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, Local root indishell, Irfninja indishell<br>Reborn India, L0rd Crus4d3r, cool toad, Hackuin, Alicks, Gujjar PCP, Bikash, Dinelson Amine, Th3 D3str0yer, SKSking, rad paul, Godzila, mike waals, zoo zoo, cyber warrior, shafoon, Rehan manzoor<br>cyber gladiator,7he Cre4t0r, Cyber Ace, Golden boy INDIA, Ketan Singh, Yash, Aneesh Dogra, AR AR, saad abbasi, hero, Minhal Mehdi, Raj bhai ji, Hacking queen and rest of TEAM INDISHELL<br>
 89 | <font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP,
 90 | Mohit, Ffe, Ashish, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) <br><br>
 91 |        
 92 | 						
 93 |            </table>
 94 |        </table> 
 95 | '; 
 96 | 	}
 97 | 								
 98 | 				
 99 | 
100 | ?>
101 | 


--------------------------------------------------------------------------------
/www/file_content_fetch/README.md:
--------------------------------------------------------------------------------
 1 | #   Application code fetch and disply the content of the specified file (file_get_contents.php)
 2 | 
 3 | <b>Exploitation Difficulty : Easy</b><br>
 4 | This is the simple example of Server-Side Request Forgery (SSRF) attack exploitation. Application code do not has any check for user input data and process it.
 5 | 
 6 | <b>Issue observation and exploitation scenario</b><br>In programming language, there are functions which can fetch the content of locally saved file. These functions may be capable of fetching the content from remote URLs as well (file_get_contents in PHP).
 7 | This technique works if application is not prepending any string to the user supplied data to fetch the content from a file i.e 
 8 | application is not prepeding and directory name or path to the user supplied data. 
 9 | In this case, application data fetching function process the schemes like "http://" or "file://". 
10 | When user will specify the remote URL in place of file name like "http://localhost", data fetching function extract the data from the specified URL.
11 | 
12 | If application is prepending any data string (for example any directory name) to user data, in that case "http://" or "file://" scheme won't 
13 | work and SSRF vulnerability exploitation is not possible.
14 | 
15 | 
16 | <b>Vulnerable Script exploitation</b><br>
17 | In this example, application has functionality to fetch and display the content of the file. 
18 | Application has file "local.txt" hosted in the same directory where SSRF vulnerable code is hosted.
19 | 
20 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/file_content_fetch/images/file1.png?raw=true)
21 | 
22 | When user try to read the content of file saved on server, vulnerable code just check if file exist on server or not and display the content if file is present on server.
23 | 
24 | Application is displaying the content of the file "local.txt"
25 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/file_content_fetch/images/file2.png?raw=true)
26 | 
27 | Vulnerable code allow user to use "file://" scheme as well. For example, user can read file like "/etc/passwd" (Linux server) or "c:/windows/system32/drivers/etc/hosts" (in Windows server).
28 | 
29 | Accessing Windows machine "host" entry file
30 | 
31 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/file_content_fetch/images/file3.png?raw=true)
32 | 
33 | Vulnerable code allowed user to access the content of "host" file
34 | 
35 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/file_content_fetch/images/file4.png?raw=true)
36 | 
37 | 
38 | <h4><b>Accessing the internal server URLs</b></h4>
39 | 
40 | An attacker can exploit the vulnerable code not just to read the local file but can access the web application hosted on internal environment (in this case "localhost")
41 | 
42 | User specified the URL "http://localhost/box.txt" which point to the file "box.txt" hosted on the local server.
43 | 
44 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/file_content_fetch/images/file5.png?raw=true)
45 | 
46 | Vulnerable code allowed user to access the HTTP content of the URL "http://localhost/box.txt"
47 | 
48 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/file_content_fetch/images/file6.png?raw=true)
49 | 
50 | ./Thanks
51 | 


--------------------------------------------------------------------------------
/www/file_content_fetch/images/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/www/file_content_fetch/images/file1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/file_content_fetch/images/file1.png


--------------------------------------------------------------------------------
/www/file_content_fetch/images/file2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/file_content_fetch/images/file2.png


--------------------------------------------------------------------------------
/www/file_content_fetch/images/file3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/file_content_fetch/images/file3.png


--------------------------------------------------------------------------------
/www/file_content_fetch/images/file4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/file_content_fetch/images/file4.png


--------------------------------------------------------------------------------
/www/file_content_fetch/images/file5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/file_content_fetch/images/file5.png


--------------------------------------------------------------------------------
/www/file_content_fetch/images/file6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/file_content_fetch/images/file6.png


--------------------------------------------------------------------------------
/www/file_get_content.php:
--------------------------------------------------------------------------------
 1 | <?php 
 2 | 
 3 | include('head.php');
 4 | 
 5 | echo '<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
 6 | 		<tr>
 7 | 		<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">
 8 | 		<td align=right style="padding:0px; border:0px; margin:0px;">
 9 | 				<input type=submit name=home value="Home" class="side-pan">
10 | 		</td>
11 | 		<td  align=right style="padding:0px; border:0px; margin:0px;" >
12 | 				<input type=submit name=load value="Load File" class="side-pan">
13 | 		</td>
14 | 		
15 | 		<td  align=left style="padding:0px; border-width:0px; margin:0px;">
16 | 				<input type=submit name=us value="Who we are" class="side-pan">
17 | 		</td>
18 | 				</form></tr></table></div></div>
19 | 				<div id="right"></div><div align=center>';	
20 | 				
21 | if(isset($_POST['home']))
22 | {
23 | 	
24 | 	echo '<br><br><font size=5>This Lab is just to demonstrate how SSRF can be exploited to perform reading files/remote URLs';
25 | 	
26 | }
27 | 
28 | if(isset($_POST['load']))
29 | {
30 | 	
31 | 	echo '
32 |    <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
33 |    <tr><td align=center style="padding: 10px;" >
34 | 	<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">Specify the file name: <input type=text name=file value=local.txt><br><br><input type=submit name=read value="load file"></form>
35 | 
36 |    </td></tr></table>
37 |    <table width="50%" cellspacing="0" cellpadding="0" class="tb1" style="margin:10px 2px 10px;opacity: 0.6;" >';
38 | 
39 | }  
40 | if(isset($_POST['read']))
41 | {
42 | 
43 | $file=trim($_POST['file']);
44 | 
45 | echo htmlentities(file_get_contents($file));
46 | 
47 | } 
48 | 
49 | if(isset($_POST['us']))
50 | 	{
51 | 		echo '
52 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" style=" border:0px;background-color: #191919; opacity: 0.6;" >
53 | 			
54 |        <tr><td 
55 |         align="center"><img src="images/who.jpg"></td><td 
56 |          align="center" valign="top" rowspan="1"><font 
57 |         color="red" face="comic sans ms"size="1"><br><font color=white >
58 |         --==[[Greetz to]]==--</font><br> <font color=#ff9933>Zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, Local root indishell, Irfninja indishell<br>Reborn India, L0rd Crus4d3r, cool toad, Hackuin, Alicks, Gujjar PCP, Bikash, Dinelson Amine, Th3 D3str0yer, SKSking, rad paul, Godzila, mike waals, zoo zoo, cyber warrior, shafoon, Rehan manzoor<br>cyber gladiator,7he Cre4t0r, Cyber Ace, Golden boy INDIA, Ketan Singh, Yash, Aneesh Dogra, AR AR, saad abbasi, hero, Minhal Mehdi, Raj bhai ji, Hacking queen and rest of TEAM INDISHELL<br>
59 | <font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP,
60 | Mohit, Ffe, Ashish, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) <br><br>
61 |        
62 | 						
63 |            </table>
64 |        </table> 
65 | '; 
66 | 	}
67 | 
68 | ?>


--------------------------------------------------------------------------------
/www/head.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | 
  4 | $head = '
  5 | <html>
  6 | <head>
  7 | <link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
  8 | </script>
  9 | <title>--==[[IndiShell Lab]]==--</title>
 10 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 11 | <STYLE>
 12 | body {
 13 | 	background: url(images/head.jpg);
 14 | 	background-size: 100% 700px;
 15 |     background-repeat: no-repeat;
 16 | font-family: Tahoma;
 17 | color: white;
 18 | 
 19 | }
 20 | .side-pan {
 21 |    margin: 0;
 22 |    border:0px;
 23 |    
 24 |    width:200px;
 25 |    padding: 5px 23px;
 26 |    margin:0px;
 27 |    -webkit-border-radius: 0px;
 28 |    -moz-border-radius: 0px;
 29 |    border-radius: 0px;
 30 |    border-bottom: 1px solid black;
 31 |    color: white;
 32 |    font-size: 20px;
 33 |    font-family: Georgia, serif;
 34 |    text-decoration: none;
 35 |    vertical-align: left;
 36 |    align:left;
 37 |    }
 38 |    div#left {
 39 |     width: 100%;
 40 |     height: 50px;
 41 |     float: left;
 42 | 	}
 43 | div#right {
 44 |     margin-left: 20%;
 45 |     height: 50px;
 46 | 	color: white;
 47 |     font-size: 20px;
 48 |     font-family: Georgia, serif;
 49 | 	}
 50 | .main div {
 51 |   float: left;
 52 |   clear: none; 
 53 | 	}
 54 | 
 55 | input {
 56 | border			: solid 2px ;
 57 | border-color		: black;
 58 | BACKGROUND-COLOR: #444444;
 59 | font: 8pt Verdana;
 60 | color: white;
 61 | }
 62 | submit {
 63 | BORDER:  buttonhighlight 2px outset;
 64 | BACKGROUND-COLOR: Black;
 65 | width: 30%;
 66 | color: #FFF;
 67 | }
 68 | #t input[type=\'submit\']{
 69 | 	COLOR: White;
 70 | 	border:none;
 71 | 	BACKGROUND-COLOR: black;
 72 | }
 73 | #t input[type=\'submit\']:hover {
 74 | 	
 75 | 	BACKGROUND-COLOR: #ff9933;
 76 | 	color: black;
 77 | 	
 78 | }
 79 | tr {
 80 | BORDER: dashed 1px #333;
 81 | color: #FFF;
 82 | }
 83 | td {
 84 | BORDER: dashed 0px ;
 85 | }
 86 | .table1 {
 87 | BORDER: 0px Black;
 88 | BACKGROUND-COLOR: Black;
 89 | color: #FFF;
 90 | }
 91 | .td1 {
 92 | BORDER: 0px;
 93 | BORDER-COLOR: #333333;
 94 | font: 7pt Verdana;
 95 | color: Green;
 96 | }
 97 | .tr1 {
 98 | BORDER: 0px;
 99 | BORDER-COLOR: #333333;
100 | color: #FFF;
101 | }
102 | table {
103 | BORDER: dashed 2px #333;
104 | BORDER-COLOR: #333333;
105 | BACKGROUND-COLOR: #191919;;
106 | color: #FFF;
107 | }
108 | textarea {
109 | border			: dashed 2px #333;
110 | BACKGROUND-COLOR: Black;
111 | font: Fixedsys bold;
112 | color: #999;
113 | }
114 | A:link {
115 | border: 1px;
116 | 	COLOR: red; TEXT-DECORATION: none
117 | }
118 | A:visited {
119 | 	COLOR: red; TEXT-DECORATION: none
120 | }
121 | A:hover {
122 | 	color: White; TEXT-DECORATION: none
123 | }
124 | A:active {
125 | 	color: white; TEXT-DECORATION: none
126 | }
127 | </STYLE>
128 | <script type="text/javascript">
129 | <!--
130 |     function lhook(id) {
131 |        var e = document.getElementById(id);
132 |        if(e.style.display == \'block\')
133 |           e.style.display = \'none\';
134 |        else
135 |           e.style.display = \'block\';
136 |     }
137 | //-->
138 | </script>
139 | '; 
140 | 
141 | echo $head ;
142 | 
143 | echo '
144 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.7;border:0px;" >
145 | 			
146 |        <td width="100%" align=center valign="top" rowspan="1">
147 | 	   <font color=#ff9933 size="-2"> 
148 |         ##########################################</font><font color=white size="-2">#############################################</font><font color=green size="-2">#############################################</font><br>
149 |            <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ SSRF </font><font color=white size=5 face="comic sans ms"><b>  Vulnerable </font><font color=green size=5 face="comic sans ms"><b> Lab]]==--</font><br>
150 | 		   <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[</b> With Love</font><font color=white size=5 face="comic sans ms"><b> From  Team </font><font color=green size=5 face="comic sans ms">IndiShell<b>]]==--</font>
151 | 		   <div class="hedr"> 
152 |         <td height="10" align="left" class="td1"></td></tr><tr><td 
153 |         width="100%" align="center" valign="top" rowspan="1">
154 | 		<font color=#ff9933 size="-2"> 
155 |         ##########################################</font><font color=white size="-2">#############################################</font><font color=green size="-2">#############################################</font><br>
156 | 		<font 
157 |         color="red" face="comic sans ms"size="1">
158 |         
159 | 						
160 |           
161 |        </table> 
162 | '; 
163 | ?>
164 | 


--------------------------------------------------------------------------------
/www/images/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/www/images/SSRF_Vulnerable_Lab.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/images/SSRF_Vulnerable_Lab.png


--------------------------------------------------------------------------------
/www/images/head.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/images/head.jpg


--------------------------------------------------------------------------------
/www/images/indishell.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/images/indishell.jpg


--------------------------------------------------------------------------------
/www/images/matrix2.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/images/matrix2.gif


--------------------------------------------------------------------------------
/www/images/ssrf_lab.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/images/ssrf_lab.gif


--------------------------------------------------------------------------------
/www/images/who.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/images/who.jpg


--------------------------------------------------------------------------------
/www/index.php:
--------------------------------------------------------------------------------
  1 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  2 | <STYLE>
  3 | BODY {
  4 | color: #ffffff;
  5 | background-color: #000000;
  6 | background-image: url(images/matrix2.gif);
  7 | background-repeat: repeat;
  8 | }
  9 | 
 10 | #title {
 11 |     font-size: 2em;
 12 |     padding-top: 5px;
 13 | 	font-family: consolas, georgia, helvetica, times new roman, serif;
 14 | }
 15 | 
 16 | 
 17 | tr {
 18 | border-collapse: collapse;
 19 | }
 20 | 
 21 | td {
 22 | font-family: consolas, georgia, helvetica, times new roman, serif;
 23 | border-collapse: collapse;
 24 | }
 25 | 
 26 | table {
 27 | 		margin-left:auto;
 28 | 		margin-right:auto;
 29 | 		BORDER: dashed 2px #333;
 30 | 		BORDER-COLOR: #333333;
 31 | 		BACKGROUND-COLOR: #191919;;
 32 | 		color: #FFF;
 33 | }
 34 | 
 35 | A:link {
 36 | border: 1px;
 37 | 	COLOR: red; TEXT-DECORATION: none
 38 | }
 39 | A:visited {
 40 | 	COLOR: red; TEXT-DECORATION: none
 41 | }
 42 | A:hover {
 43 | 	color: #97c3f5; TEXT-DECORATION: none
 44 | }
 45 | A:active {
 46 | 	color: ; TEXT-DECORATION: none
 47 | }
 48 | </STYLE>
 49 | 
 50 | <script type="text/javascript">
 51 | 
 52 |     function lhook(id) {
 53 | 
 54 |        var e = document.getElementById(id);
 55 | 
 56 |        if(e.style.display == 'block')
 57 | 
 58 |           e.style.display = 'none';
 59 | 
 60 |        else
 61 | 
 62 |           e.style.display = 'block';
 63 | 
 64 |     }
 65 | </script>
 66 | 
 67 | 		
 68 | <div id="title" align=center>--==[[ Welcome to the SSRF Vulnerable Lab ]]==--</div>
 69 | <br>
 70 | Exercises:
 71 | <br>
 72 | <table width="90%"><tr><td>
 73 | <b><font color=#ff9933 size="3">1. Application code fetch and disply the content of the specified file: -</font></b></td></tr>
 74 | <tr><td style="background-color: #343440;">
 75 | <div align=center>--== <a href="#" onclick="lhook('info1');" style="border:1px;background:black;">Show Misconfiguration Info</a> ==--
 76 | </div>
 77 | 
 78 | <div id="info1" style="display:none;">
 79 | In programming language, there are functions which can fetch the content of locally saved file. These functions may be capable of fetching the content from remote URLs as well local files (file_get_contents in PHP). 
 80 | <br><br>This functionality can be abused if application is not prepending any string to the user supplied data to fetch the content from a file i.e application is not prepeding and directory name or path to the user supplied data. In this case, application data fetching function process the schemes like "http://" or "file://". When user will specify the remote URL in place of file name like "http://localhost", data fetching function extract the data from the specified URL.
 81 | <br>If application is prepending any data string (for example any directory name) to user data, in that case "http://" or "file://" scheme won't work and SSRF vulnerability exploitation is not possible.</div></td></tr>
 82 | <tr><td>Link to Vulnerable Script - <a href="file_get_content.php" target="_blank">file_get_content.php</a></td></tr></table>
 83 | <br><br>
 84 | <table  width="90%" >
 85 | <tr><td>
 86 | <b><font color=#ff9933 size="3">2. Application provide interface to connect to Remote Host : -</font></b> </td></tr>
 87 | <tr><td style="background-color: #343440; ">
 88 | <div align=center>--== <a href="#" onclick="lhook('info2');" style="border:1px;background:black;">Show Misconfiguration Info</a> ==--
 89 | </div>
 90 | 
 91 | <div id="info2" style="display:none;">
 92 | Web application has interface allow an user to specify the any IP with any port. Here application may have functionality like, it try to connect to service like "MySQL", "LDAP" etc.
 93 | <br><br>
 94 | Application expect user to specify the remote server hostname/IP, username and password in input fields. Application try to connect to the remote server over specified port. Here, application try to communicate to remote service listening on specific port. When vulnerable code has functionality to connect to server like MySQL and user specified the SMB port, vulnerable application will try to communicate to SMB servie using MySQL server service packets. Now, port is open, but services are not able to communicate due to difference in way of communication.
 95 | <br><br>
 96 | This behaviour can be exploited to perform internal network scanning not just to enumerate IPs but Ports as well on those live IPs.
 97 | </div>
 98 | </td></tr>
 99 | <tr><td>
100 | Link to Vulnerable Script - <a href="sql_connect.php" target="_blank">sql_connect.php</a></td></tr></table>
101 | <br><br>
102 | <table  width="90%">
103 | <tr><td>
104 | <b><font color=#ff9933 size="3">3. Application has File Download Functionality: -</font></b> </td></tr>
105 | <tr><td style="background-color: #343440;"> 
106 | <div align=center>--== <a href="#" onclick="lhook('info3');" style="border:1px;background:black;">Show Misconfiguration Info</a> ==--
107 | </div>
108 | 
109 | <div id="info3" style="display:none;">
110 | In this case, an attacker can exploit this functionality to perform IP scanning inside the network where application server is hosted.
111 | <br>The function which performs the task of downloding file from server, can download file not just from local server but also from SMB path as well. This is something which can help an attacker to figureout the windows based machines in the network.
112 | <br><br>
113 | Web application hosted on Windows OS will process the SMB path as well if file download functionality is processing user input without prepending any data.</div></td></tr>
114 | <tr><td>Link to Vulnerable Script - <a href="download.php" target="_blank">download.php</a>
115 | </td></tr></table>  
116 | <br><br>
117 | <table width="90%"><tr><td>
118 | <b><font color=#ff9933 size="3">4. Bypassing IP blacklisting using DNS Based Spoofing: -</font></b></td></tr>
119 | <tr><td style="background-color: #343440;">
120 | <div align=center>--== <a href="#" onclick="lhook('info4');" style="border:1px;background:black;">Show Misconfiguration Info</a> ==--
121 | </div>
122 | 
123 | <div id="info4" style="display:none;">
124 | The script has funcionality which allow user to fetch data from remote URL. User need to specify the remote URL with any IP or domain name.
125 | <br><br>
126 | This script perform check if user has specified the input as "localhost", "Internal IPs" or "Reserved IPs". If domain/IP spcified by user is blacklisted, script will not fetch the content and stop processing.
127 | </div></td></tr>
128 | <tr><td>Link to Vulnerable Script - <a href="dns-spoofing.php" target="_blank">dns-spoofing.php</a></td></tr></table>
129 | <br><br>
130 | 
131 | <table width="90%"><tr><td>
132 | <b><font color=#ff9933 size="3">5. Bypassing IP blacklisting using DNS Rebinding Technique: -</font></b></td></tr>
133 | <tr><td style="background-color: #343440;">
134 | <div align=center>--== <a href="#" onclick="lhook('info5');" style="border:1px;background:black;">Show Misconfiguration Info</a> ==--
135 | </div>
136 | 
137 | <div id="info5" style="display:none;">
138 | Application has implemented black listing of not just internal and private range IPs but also rsolve the user supplied domain to its IP and again perform check if resolved is black listed or not.<br> <br>
139 | In this case, DNS based spoofing trick will also not work to access the content hosted on internal/Reserved IP. Application code perform domain resolution to its IP and again perform black listed IP check for the resolved IP.
140 | </div></td></tr>
141 | <tr><td>Link to Vulnerable Script - <a href="dns_rebinding.php" target="_blank">dns_rebinding.php</a></td></tr></table>
142 | 
143 | 
144 | <br><br>
145 | <table width="90%"><tr><td>
146 | <b><font color=#ff9933 size="3">6. SSRF in HTML to PDF generator: -</font></b></td></tr>
147 | <tr><td style="background-color: #343440;">
148 | <div align=center>--== <a href="#" onclick="lhook('info6');" style="border:1px;background:black;">Show Misconfiguration Info</a> ==--
149 | </div>
150 | 
151 | 
152 | <div id="info6" style="display:none;">
153 | This the scenario of the web app which is using HTML to PDF generator script and passing untrusted user supplied data to HTML file which is processed by HTML to PDF generator. 
154 | An attacker can pass the HTML tags such as &#x3C;iframe&#x3E;, &#x3C;a&#x3E;, &#x3C;img&#x3E; or HTML forms to make request to internally hosted application. 	
155 | </div></td></tr>
156 | <tr><td>Link to Vulnerable Script 1 - <a href="pdf_ssrf_weasyprint.php" target="_blank">pdf_ssrf_weasyprint.php</a><br>Link to Vulnerable Script 2 - <a href="pdf_ssrf_wkhtmltopdf.php" target="_blank">pdf_ssrf_wkhtmltopdf.php</a></td></tr></table>
157 | 


--------------------------------------------------------------------------------
/www/local.txt:
--------------------------------------------------------------------------------
1 | This is just dummy text file xD<h1>hi


--------------------------------------------------------------------------------
/www/pdf_generator/images/README.md:
--------------------------------------------------------------------------------
1 | This directory contain the POC images for SSRF exploitation in "Weasyprint" and "WKHTMLtoPDF" HTML to PDF converter vulnerable scripts.
2 | 


--------------------------------------------------------------------------------
/www/pdf_generator/images/w1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/w1.png


--------------------------------------------------------------------------------
/www/pdf_generator/images/w2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/w2.png


--------------------------------------------------------------------------------
/www/pdf_generator/images/w3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/w3.png


--------------------------------------------------------------------------------
/www/pdf_generator/images/w4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/w4.png


--------------------------------------------------------------------------------
/www/pdf_generator/images/w5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/w5.png


--------------------------------------------------------------------------------
/www/pdf_generator/images/wk1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/wk1.png


--------------------------------------------------------------------------------
/www/pdf_generator/images/wk2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/wk2.png


--------------------------------------------------------------------------------
/www/pdf_generator/images/wk3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/wk3.png


--------------------------------------------------------------------------------
/www/pdf_generator/images/wk4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/SSRF_Vulnerable_Lab/7b9a3a1caf7fab5904232478dd41c62a166376a3/www/pdf_generator/images/wk4.png


--------------------------------------------------------------------------------
/www/pdf_generator/readme.md:
--------------------------------------------------------------------------------
  1 | # 1.0 SSRF in HTML to PDF converter functionality
  2 | 
  3 | <b>Exploitation Difficulty: Easy</b><br>
  4 | 
  5 | These are the SSRF scenario based on the fact that when web application accepting the user user input, placing them in HTML and pass the HTML code to "HTML to PDF generator".
  6 | <br><br>When HTML code will be processed by the "HTML to PDF generator", HTML code will be evaluated to corresponding representation of that HTML code in web browser.
  7 | <br>In this case, if attacker supplied data is not getting senitized or filtered before placing it to HTML code, attacker can trick "HTML to PDF generator" software to access the internal Hosts/domains. 
  8 | 
  9 | We have scenarios of 2 "HTML to PDF generator" which allow an attacker to exploit SSRF vulnerability if web application is passing the untrusted user supplied data to HTML code.
 10 | <br>These "HTML to PDF generator" are:
 11 | 
 12 |     1. Weasyprint 
 13 |     2. wkhtmltopdf
 14 | 
 15 | <br><b>pdf_ssrf_weasyprint.php</b> is vulnerable script which is using <b>weasyprint</b>.
 16 | <br><b>pdf_ssrf_wkhtmltopdf.php</b> is vulnerable script which is using <b>wkhtmltopdf</b>.
 17 | 
 18 | <b>1.1 System Requirements:</b>
 19 |   
 20 |     1. Weasyprint and wkhtmltopdf converter must be installed on the machine.
 21 |     2. Web server with PHP support 
 22 | 
 23 | <b>1.2.1 Linux based setup: wkhtmltopdf</b>
 24 | <br>No change is required. This script is developed to work on Linux OS. 
 25 | 
 26 | <b>1.2.2 Windows based setup:</b>
 27 | <br>Below mentioned changes will be required:
 28 | 
 29 | 
 30 | Remove comment syntax from the line no "271" and "272" and make them like this
 31 | 
 32 |     $path_pdf_converter='C:\Program Files\wkhtmltopdf\bin\wkhtmltopdf.exe'; /*remove the comment if you want to use it on Windows machine*/
 33 |     passthru('"'.$path_pdf_converter.'" -T 0 -R 0 -B 0 -L 0 --orientation Portrait --page-size A4 sample.html output4.pdf'); /*remove the comment if you want to use it on Windows machine*/
 34 | 
 35 | Comment out the the line number 273 like this 
 36 | 
 37 |     //passthru('xvfb-run wkhtmltopdf -T 0 -R 0 -B 0 -L 0 --orientation Portrait --page-size A4 --quiet sample.html output4.pdf 2>&1');
 38 | 
 39 | <b>1.3 Installation</b>
 40 | 
 41 | wkthmltopdf
 42 |     
 43 |     sudo apt-get update
 44 |     sudo apt-get install xvfb libfontconfig wkhtmltopdf
 45 | 
 46 | weasyprint
 47 | 
 48 | As per the OS, follow steps from below mentioned URL to install the weasyprint:
 49 | 
 50 | https://weasyprint.readthedocs.io/en/stable/install.html
 51 |     
 52 | 
 53 | # 2.0 Exploitation
 54 | 
 55 | 
 56 | Let's start with exploitation and possible attack vectors to perform SSRF.
 57 | 
 58 | <b>2.1 SSRF in Weasyprint HTML to PDF generator</b>
 59 | 
 60 | Web application accepting user input via GUI.<br>  
 61 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/pdf_generator/images/w1.png?raw=true)
 62 | 
 63 | Accepted the user input, placed it inside the HTML code and generated PDF by rendering the HTML code 
 64 | 
 65 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/pdf_generator/images/w2.png?raw=true)
 66 | 
 67 | After observing such behavior, try with following payloads to confirm whether web application code is vulnerable:
 68 | 
 69 |     <h1>test</h1>
 70 |     <img src=http://attacker_server_IP/>
 71 | 
 72 | If web application is processing the above mentioned payloads, go for below mentioned payloads to exploit SSRF.
 73 | 
 74 | <b>Payloads</b>
 75 | 
 76 | To grab the data from HTTP based URL, use below mentioned style payload
 77 | 
 78 |     <link rel=attachment href="http://web_URL">
 79 |     <link rel=attachment href="http://localhost/admin.php">
 80 | To grab the data from internal file system, use below mentioned style payload
 81 | 
 82 |     <link rel=attachment href="file://internal_file_path">
 83 |     <link rel=attachment href="file:///etc/passwd">
 84 | <b>2.1.1 Exploiting the SSRF - Google Cloud Metadata endpoint access</b>
 85 | 
 86 | Let's assume, web application is hosted inside the Google Cloud Platform. Now, try to grab the data from Google Cloud internal Metadata endpoint.
 87 | I saved sample username and password during the creation of the Virtual machine which are accessible on below mentioned URL:
 88 | http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes
 89 | 
 90 | Below mentioned payload will grab and attach the HTTP response from the above metnioned Metadata URL to PDF:
 91 | 
 92 |     <link rel=attachment href="http://metadata.google.internal/computeMetadata/v1beta1/instance/?recursive=true">
 93 | 
 94 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/pdf_generator/images/w3.png?raw=true)
 95 | 
 96 | Open the generated PDF and observe, nothing is there in customer name column. Download the generated PDF file to extract the data from it.
 97 | 
 98 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/pdf_generator/images/w4.png?raw=true)
 99 | 
100 | Extract the attached content from the downloaded PDF file using this Python <a href="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab/blob/master/www/pdf_generator/weasy.py">Script</a> developed by Ben AKA Nahamsec. 
101 | 
102 |     python script.py  downloaded_file.pdf
103 |   
104 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/pdf_generator/images/w5.png?raw=true)
105 | 
106 | And Python script extracted the attached HTTP response from the Internal Metadata URL.
107 | 
108 | This is how an attacker can extract the HTTP response from other internal IPs/Hosts.
109 | 
110 | <b>2.2 SSRF in wkhtmltopdf, HTML to PDF generator</b>
111 | 
112 | An attacker can exploit SSRF in web application using wkhtmltopdf to generate the PDF from HTML having untrusted user supplied data placed in it. 
113 | 
114 | Web application is accepting user supplied data 
115 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/pdf_generator/images/wk1.png?raw=true)
116 | 
117 | Generated PDF has user supplied data.
118 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/pdf_generator/images/wk2.png?raw=true)
119 | 
120 | Payload to load internal app rendered HTTP response inside the PDF using <iframe> HTML tag is:
121 |     
122 |     <iframe src="http://internal_app" height=800px width=800px></iframe>
123 | 
124 | <b>Payload to access the web page which has "X-Frame-Options" header</b> in HTTP response and can not be loaded inside the <iframe> HTML tag.
125 |     
126 |     <body onload="document.createElement('form').submit.call(document.getElementById('myForm'))"><form id="myForm" name="myForm" action="http://internal_app" method=GET></form></body> 
127 | 
128 | Specify the above mentioned payload and submit the form
129 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/pdf_generator/images/wk3.png?raw=true)
130 | 
131 | Open the generated the PDF and there we go....
132 | ![](https://github.com/incredibleindishell/SSRF_Vulnerable_lab/blob/master/www/pdf_generator/images/wk4.png?raw=true)
133 | 
134 | 
135 | ./Thanks
136 | 
137 | 


--------------------------------------------------------------------------------
/www/pdf_generator/weasy.py:
--------------------------------------------------------------------------------
 1 | import sys, zlib
 2 | 
 3 | def main(fn):
 4 |     data = open(fn, 'rb').read()
 5 |     i = 0
 6 |     first = True
 7 |     last = None
 8 |     while True:
 9 |         i = data.find(b'>>\nstream\n', i)
10 |         if i == -1:
11 |             break
12 |         i += 10
13 |         try:
14 |             last = cdata = zlib.decompress(data[i:])
15 |             if first:
16 |                 first = False
17 |             else:
18 |                 pass#print cdata
19 |         except:
20 |             pass
21 |     print(last.decode('utf-8'))
22 | 
23 | if __name__=='__main__':
24 |     main(*sys.argv[1:])


--------------------------------------------------------------------------------
/www/pdf_ssrf_weasyprint.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | echo '
  4 | <html>
  5 | <head>
  6 | <link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
  7 | </script>
  8 | <title>--==[[IndiShell Lab]]==--</title>
  9 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 10 | <STYLE>
 11 | body {
 12 | 	background: url(images/indishell.jpg);
 13 | 	background-size: 100% 650px;
 14 |     background-repeat: no-repeat;
 15 | 	background-attachment: fixed;
 16 | font-family: Tahoma;
 17 | color: white;
 18 | }
 19 | .side-pan {
 20 |    margin: 0;
 21 |    border:0px;
 22 |    
 23 |    width:200px;
 24 |    padding: 5px 23px;
 25 |    margin:0px;
 26 |    -webkit-border-radius: 0px;
 27 |    -moz-border-radius: 0px;
 28 |    border-radius: 0px;
 29 |    border-bottom: 1px solid black;
 30 |    color: white;
 31 |    font-size: 20px;
 32 |    font-family: Georgia, serif;
 33 |    text-decoration: none;
 34 |    vertical-align: left;
 35 |    align:left;
 36 |    }
 37 |    div#left {
 38 |     width: 100%;
 39 |     height: 50px;
 40 |     float: left;
 41 | 	}
 42 | div#right {
 43 |     margin-left: 20%;
 44 |     height: 50px;
 45 | 	color: white;
 46 |     font-size: 20px;
 47 |     font-family: Georgia, serif;
 48 | 	}
 49 | .main div {
 50 |   float: left;
 51 |   clear: none; 
 52 | 	}
 53 | input {
 54 | border			: solid 2px ;
 55 | border-color		: black;
 56 | BACKGROUND-COLOR: #444444;
 57 | font: 8pt Verdana;
 58 | color: white;
 59 | }
 60 | submit {
 61 | BORDER:  buttonhighlight 2px outset;
 62 | BACKGROUND-COLOR: Black;
 63 | width: 30%;
 64 | color: #FFF;
 65 | }
 66 | #t input[type=\'submit\']{
 67 | 	COLOR: White;
 68 | 	border:none;
 69 | 	BACKGROUND-COLOR: black;
 70 | }
 71 | #t input[type=\'submit\']:hover {
 72 | 	
 73 | 	BACKGROUND-COLOR: #ff9933;
 74 | 	color: black;
 75 | 	
 76 | }
 77 | tr {
 78 | BORDER: dashed 1px #333;
 79 | color: #FFF;
 80 | }
 81 | td {
 82 | BORDER: dashed 0px ;
 83 | }
 84 | 
 85 | table {
 86 | BORDER: dashed 2px #333;
 87 | BORDER-COLOR: #333333;
 88 | BACKGROUND-COLOR: #191919;;
 89 | color: #FFF;
 90 | }
 91 | textarea {
 92 | border			: dashed 2px #333;
 93 | BACKGROUND-COLOR: Black;
 94 | font: Fixedsys bold;
 95 | color: #999;
 96 | }
 97 | A:link {
 98 | border: 1px;
 99 | 	COLOR: red; TEXT-DECORATION: none
100 | }
101 | A:visited {
102 | 	COLOR: red; TEXT-DECORATION: none
103 | }
104 | A:hover {
105 | 	color: White; TEXT-DECORATION: none
106 | }
107 | A:active {
108 | 	color: white; TEXT-DECORATION: none
109 | }
110 | 
111 | </STYLE>
112 | <script type="text/javascript">
113 | <!--
114 |     function lhook(id) {
115 |        var e = document.getElementById(id);
116 |        if(e.style.display == \'block\')
117 |           e.style.display = \'none\';
118 |        else
119 |           e.style.display = \'block\';
120 |     }
121 | //-->
122 | </script>
123 | 
124 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
125 | 			
126 |        <td width="100%" align=center valign="top" rowspan="1">
127 |            <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ Weasyprint, HTML</font><font color=white size=5 face="comic sans ms"><b> to PDF Converter Server-side</font><font color=green size=5 face="comic sans ms"><b> request forgery ]]==--</font><br>
128 | 			<font color=#ff9933 size=3 face="comic sans ms"><b>--==[[ With </font><font color=white size=3 face="comic sans ms"><b>Love From IndiShell</font><font color=green size=3 face="comic sans ms"><b> Crew]]==--</font>
129 | 		   <div class="hedr"> 
130 |         <td height="10" align="left" class="td1"></td></tr><tr><td 
131 |         width="100%" align="center" valign="top" rowspan="1"><font 
132 |         color="red" face="comic sans ms"size="1"><b> 
133 |         <font color=#ff9933> 
134 |         ##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
135 |         -==[[Greetz to]]==--</font><br> <font color=#ff9933>Zero cool, code breaker ica, r0ot_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba ,Silent poison India, Magnum sniper, 3thicalnoob Indishell, cyber warrior, Hacker Fantastic and rest of TEAM INDISHELL<br>
136 | <font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, Lovey, cold fire hacker, Mannu, ViKi, Incredible, Hardeep Singh, Ashu bhai ji, Rafay Baloch, Soldier Of God, Shafoon, Rehan Manzoor, almas malik, Bhuppi, Mohit, Ffe ^_^, Govind Singh, Shardhanand, Budhaoo, Don(Deepika kaushik) and D3 <br>
137 |         <b> 
138 |         <font color=#ff9933> 
139 |         ##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
140 | 						
141 |            </table>
142 |        </table> ';
143 | 
144 | 
145 | 		echo '<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
146 | 		<tr>
147 | 		<form method=post action="index.php">
148 | 		<td align=right style="padding:0px; border:0px; margin:0px;">
149 | 				<input type=submit name=home value="Home" class="side-pan">
150 | 		</td>
151 | 		
152 | 				</form></tr></table></div></div>
153 | 				<div id="right"></div><div align=center>';	
154 | 				
155 | 				
156 | echo '
157 | 		<table width="35%" style=" border:0px;background-color: #191919; opacity: 0.9; padding: 20px;" >
158 | 			<form method=post>
159 | 		<tr><td align=center  colspan="2"> 	Member Info  </td></tr>
160 |        <tr>
161 | 	   <td align=right>Handle: </td><td><input type=text name=handle> </td>
162 | 	   </tr>
163 | 		
164 | 		<tr><td align=center  colspan="2"> <input type=submit name=insert value="Generate >:D<">  </td></tr>
165 |        </table> 
166 | 	   <br><br>
167 | 	   
168 | '; 				
169 | 
170 | if(isset($_POST['insert']))
171 | {				
172 | 
173 | 
174 | $data=$_POST['handle'];
175 | 
176 | $html='<html><STYLE>
177 | body {
178 | 	font-family: Tahoma;
179 | }
180 | 
181 | div#right {
182 |     margin-left: 20%;
183 |     height: 50px;
184 | 	color: white;
185 |     font-size: 20px;
186 |     font-family: Georgia, serif;
187 | 	}
188 | .main div {
189 |   float: left;
190 |   clear: none; 
191 | 	}
192 | 
193 | tr {
194 | BORDER: solid 1px #333;
195 | color: black;
196 | }
197 | td {
198 | BORDER: dashed 0px ;
199 | }
200 | table {
201 | BORDER: solid 2px #333;
202 | BORDER-COLOR: #333333;
203 | 
204 | }
205 | </STYLE>        
206 |  <thead>
207 |  <div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:2px;">
208 |   <tr>
209 |    <th colspan="3">Invoice #123456789</th>
210 |    <th>14 January 2025
211 |   </tr>
212 |   <tr>
213 |    <td colspan="2">
214 |     <strong>Pay to:</strong><br>
215 |     Acme Billing Co.<br>
216 |     123 Main St.<br>
217 |     Cityville, NA 12345
218 |    </td>
219 |    <td colspan="2">
220 |     <strong>Customer:</strong><br>
221 |     '.$data.'<br>
222 |     321 Willow Way<br>
223 |     Southeast Northwestershire, MA 54321
224 |    </td>
225 |   </tr>
226 |  </thead>
227 |  <tbody>
228 |   <tr>
229 |    <th>Name / Description</th>
230 |    <th>Qty.</th>
231 |    <th>@</th>
232 |    <th>Cost</th>
233 |   </tr>
234 |   <tr>
235 |    <td>Paperclips</td>
236 |    <td>1000</td>
237 |    <td>0.01</td>
238 |    <td>10.00</td>
239 |   </tr>
240 |   <tr>
241 |    <td>Staples (box)</td>
242 |    <td>100</td>
243 |    <td>1.00</td>
244 |    <td>100.00</td>
245 |   </tr>
246 |  </tbody>
247 |  <tfoot>
248 |   <tr>
249 |    <th colspan="3">Subtotal</th>
250 |    <td> 110.00</td>
251 |   </tr>
252 |   <tr>
253 |    <th colspan="2">Tax</th>
254 |    <td> 8% </td>
255 |    <td>8.80</td>
256 |   </tr>
257 |   <tr>
258 |    <th colspan="3">Grand Total</th>
259 |    <td>Rs. 118.80</td>
260 |   </tr>
261 |  </tfoot>
262 | </table>
263 | ';
264 | 
265 | $tost='test';
266 | 
267 | $all=fopen('sample10.html','w');
268 | fwrite($all,$html);
269 | 
270 | 
271 | 
272 |  passthru('weasyprint sample10.html output.pdf 2>&1'); 
273 |  
274 |  
275 |  echo '<table width="35%" style=" border:0px;background-color: #191919; opacity: 0.8; padding: 20px;" >
276 | 			<form method=post>
277 | 		<tr><td align=center  colspan="2">Hello '.htmlentities($data).', please download the generated PDF. Click <a href="output.pdf">Here</a></td></tr></table>';
278 | }
279 | 
280 | ?>
281 | 
282 | 
283 | 


--------------------------------------------------------------------------------
/www/pdf_ssrf_wkhtmltopdf.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | echo '
  4 | <html>
  5 | <head>
  6 | <link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
  7 | </script>
  8 | <title>--==[[IndiShell Lab]]==--</title>
  9 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 10 | <STYLE>
 11 | body {
 12 | 	background: url(images/indishell.jpg);
 13 | 	background-size: 100% 650px;
 14 |     background-repeat: no-repeat;
 15 | 	background-attachment: fixed;
 16 | font-family: Tahoma;
 17 | color: white;
 18 | }
 19 | .side-pan {
 20 |    margin: 0;
 21 |    border:0px;
 22 |    
 23 |    width:200px;
 24 |    padding: 5px 23px;
 25 |    margin:0px;
 26 |    -webkit-border-radius: 0px;
 27 |    -moz-border-radius: 0px;
 28 |    border-radius: 0px;
 29 |    border-bottom: 1px solid black;
 30 |    color: white;
 31 |    font-size: 20px;
 32 |    font-family: Georgia, serif;
 33 |    text-decoration: none;
 34 |    vertical-align: left;
 35 |    align:left;
 36 |    }
 37 |    div#left {
 38 |     width: 100%;
 39 |     height: 50px;
 40 |     float: left;
 41 | 	}
 42 | div#right {
 43 |     margin-left: 20%;
 44 |     height: 50px;
 45 | 	color: white;
 46 |     font-size: 20px;
 47 |     font-family: Georgia, serif;
 48 | 	}
 49 | .main div {
 50 |   float: left;
 51 |   clear: none; 
 52 | 	}
 53 | input {
 54 | border			: solid 2px ;
 55 | border-color		: black;
 56 | BACKGROUND-COLOR: #444444;
 57 | font: 8pt Verdana;
 58 | color: white;
 59 | }
 60 | submit {
 61 | BORDER:  buttonhighlight 2px outset;
 62 | BACKGROUND-COLOR: Black;
 63 | width: 30%;
 64 | color: #FFF;
 65 | }
 66 | #t input[type=\'submit\']{
 67 | 	COLOR: White;
 68 | 	border:none;
 69 | 	BACKGROUND-COLOR: black;
 70 | }
 71 | #t input[type=\'submit\']:hover {
 72 | 	
 73 | 	BACKGROUND-COLOR: #ff9933;
 74 | 	color: black;
 75 | 	
 76 | }
 77 | tr {
 78 | BORDER: dashed 1px #333;
 79 | color: #FFF;
 80 | }
 81 | td {
 82 | BORDER: dashed 0px ;
 83 | }
 84 | 
 85 | table {
 86 | BORDER: dashed 2px #333;
 87 | BORDER-COLOR: #333333;
 88 | BACKGROUND-COLOR: #191919;;
 89 | color: #FFF;
 90 | }
 91 | textarea {
 92 | border			: dashed 2px #333;
 93 | BACKGROUND-COLOR: Black;
 94 | font: Fixedsys bold;
 95 | color: #999;
 96 | }
 97 | A:link {
 98 | border: 1px;
 99 | 	COLOR: red; TEXT-DECORATION: none
100 | }
101 | A:visited {
102 | 	COLOR: red; TEXT-DECORATION: none
103 | }
104 | A:hover {
105 | 	color: White; TEXT-DECORATION: none
106 | }
107 | A:active {
108 | 	color: white; TEXT-DECORATION: none
109 | }
110 | 
111 | </STYLE>
112 | <script type="text/javascript">
113 | <!--
114 |     function lhook(id) {
115 |        var e = document.getElementById(id);
116 |        if(e.style.display == \'block\')
117 |           e.style.display = \'none\';
118 |        else
119 |           e.style.display = \'block\';
120 |     }
121 | //-->
122 | </script>
123 | 
124 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
125 | 			
126 |        <td width="100%" align=center valign="top" rowspan="1">
127 |            <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ WKHTMLtoPDF, HTML</font><font color=white size=5 face="comic sans ms"><b> to PDF Converter Server-side</font><font color=green size=5 face="comic sans ms"><b> request forgery ]]==--</font><br>
128 | 			<font color=#ff9933 size=3 face="comic sans ms"><b>--==[[ With </font><font color=white size=3 face="comic sans ms"><b>Love From IndiShell</font><font color=green size=3 face="comic sans ms"><b> Crew]]==--</font>
129 | 		   <div class="hedr"> 
130 |         <td height="10" align="left" class="td1"></td></tr><tr><td 
131 |         width="100%" align="center" valign="top" rowspan="1"><font 
132 |         color="red" face="comic sans ms"size="1"><b> 
133 |         <font color=#ff9933> 
134 |         ##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
135 |         -==[[Greetz to]]==--</font><br> <font color=#ff9933>Zero cool, code breaker ica, r0ot_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba ,Silent poison India, Magnum sniper, 3thicalnoob Indishell, cyber warrior, Hacker Fantastic and rest of TEAM INDISHELL<br>
136 | <font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, Lovey, cold fire hacker, Mannu, ViKi, Incredible, Hardeep Singh, Ashu bhai ji, Rafay Baloch, Soldier Of God, Shafoon, Rehan Manzoor, almas malik, Bhuppi, Mohit, Ffe ^_^, Govind Singh, Shardhanand, Budhaoo, Don(Deepika kaushik) and D3 <br>
137 |         <b> 
138 |         <font color=#ff9933> 
139 |         ##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
140 | 						
141 |            </table>
142 |        </table> ';
143 | 
144 | 
145 | 		echo '<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
146 | 		<tr>
147 | 		<form method=post action="index.php">
148 | 		<td align=right style="padding:0px; border:0px; margin:0px;">
149 | 				<input type=submit name=home value="Home" class="side-pan">
150 | 		</td>
151 | 		
152 | 				</form></tr></table></div></div>
153 | 				<div id="right"></div><div align=center>';	
154 | 				
155 | 				
156 | echo '
157 | 		<table width="35%" style=" border:0px;background-color: #191919; opacity: 0.9; padding: 20px;" >
158 | 			<form method=post>
159 | 		<tr><td align=center  colspan="2"> 	Member Info  </td></tr>
160 |        <tr>
161 | 	   <td align=right>Handle: </td><td><input type=text name=handle> </td>
162 | 	   </tr>
163 | 		
164 | 		<tr><td align=center  colspan="2"> <input type=submit name=insert value="Generate >:D<">  </td></tr>
165 |        </table> 
166 | 	   <br><br>
167 | 	   
168 | '; 				
169 | 
170 | if(isset($_POST['insert']))
171 | {				
172 | 
173 | 
174 | $data=$_POST['handle'];
175 | 
176 | $html='<html><STYLE>
177 | body {
178 | 	font-family: Tahoma;
179 | }
180 | 
181 | div#right {
182 |     margin-left: 20%;
183 |     height: 50px;
184 | 	color: white;
185 |     font-size: 20px;
186 |     font-family: Georgia, serif;
187 | 	}
188 | .main div {
189 |   float: left;
190 |   clear: none; 
191 | 	}
192 | 
193 | tr {
194 | BORDER: solid 1px #333;
195 | color: black;
196 | }
197 | td {
198 | BORDER: dashed 0px ;
199 | }
200 | table {
201 | BORDER: solid 2px #333;
202 | BORDER-COLOR: #333333;
203 | 
204 | }
205 | </STYLE>        
206 |  <thead>
207 |  <div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:2px;">
208 |   <tr>
209 |    <th colspan="3">Invoice #123456789</th>
210 |    <th>14 January 2025
211 |   </tr>
212 |   <tr>
213 |    <td colspan="2">
214 |     <strong>Pay to:</strong><br>
215 |     Acme Billing Co.<br>
216 |     123 Main St.<br>
217 |     Cityville, NA 12345
218 |    </td>
219 |    <td colspan="2">
220 |     <strong>Customer:</strong><br>
221 |     '.$data.'<br>
222 |     321 Willow Way<br>
223 |     Southeast Northwestershire, MA 54321
224 |    </td>
225 |   </tr>
226 |  </thead>
227 |  <tbody>
228 |   <tr>
229 |    <th>Name / Description</th>
230 |    <th>Qty.</th>
231 |    <th>@</th>
232 |    <th>Cost</th>
233 |   </tr>
234 |   <tr>
235 |    <td>Paperclips</td>
236 |    <td>1000</td>
237 |    <td>0.01</td>
238 |    <td>10.00</td>
239 |   </tr>
240 |   <tr>
241 |    <td>Staples (box)</td>
242 |    <td>100</td>
243 |    <td>1.00</td>
244 |    <td>100.00</td>
245 |   </tr>
246 |  </tbody>
247 |  <tfoot>
248 |   <tr>
249 |    <th colspan="3">Subtotal</th>
250 |    <td> 110.00</td>
251 |   </tr>
252 |   <tr>
253 |    <th colspan="2">Tax</th>
254 |    <td> 8% </td>
255 |    <td>8.80</td>
256 |   </tr>
257 |   <tr>
258 |    <th colspan="3">Grand Total</th>
259 |    <td>Rs. 118.80</td>
260 |   </tr>
261 |  </tfoot>
262 | </table>
263 | ';
264 | 
265 | $tost='test';
266 | 
267 | $all=fopen('sample.html','w');
268 | fwrite($all,$html);
269 | 
270 | 
271 | //$path_pdf_converter='C:\Program Files\wkhtmltopdf\bin\wkhtmltopdf.exe'; /*remove the comment if you want to use it on Windows machine*/
272 | //passthru('"'.$path_pdf_converter.'" -T 0 -R 0 -B 0 -L 0 --orientation Portrait --page-size A4 sample.html output4.pdf'); /*remove the comment if you want to use it on Windows machine*/
273 |  passthru('xvfb-run wkhtmltopdf -T 0 -R 0 -B 0 -L 0 --orientation Portrait --page-size A4 --quiet sample.html output4.pdf 2>&1'); //comment this line if you want to use code on Windows
274 |  
275 |  
276 |  echo '<table width="35%" style=" border:0px;background-color: #191919; opacity: 0.8; padding: 20px;" >
277 | 			<form method=post>
278 | 		<tr><td align=center  colspan="2">Hello '.htmlentities($data).', please download the generated PDF. Click <a href="output4.pdf">Here</a></td></tr></table>';
279 | }
280 | 
281 | ?>
282 | 
283 | 
284 | 


--------------------------------------------------------------------------------
/www/sql_connect.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /*Coded by Jagriti aka Incredible at indishell Lab*/
  3 | session_start();
  4 | set_time_limit(0);
  5 | 
  6 | 
  7 |  $head = '
  8 | <html>
  9 | <head>
 10 | </script>
 11 | <title>--==[[MySQL Connect]]==--</title>
 12 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 13 | 
 14 | <STYLE>
 15 | body {
 16 | background-image: url("http://2.bp.blogspot.com/_pIX0Yrfc96k/TGbCp67f8rI/AAAAAAAADpc/ZYotXRwkT2M/s1600/ind43v.jpg");
 17 | background-position: center center;
 18 | background-repeat: no-repeat;
 19 | background-size: 1000px 500px;
 20 | background-color: #000000;
 21 | background-attachment: fixed;
 22 | font-family: Tahoma;
 23 | }
 24 | tr {
 25 | BORDER: dashed 2px #333;
 26 | color: #FFF;
 27 | }
 28 | td {
 29 | BORDER: dashed 2px #333;
 30 | color: #FFF;
 31 | 
 32 | }
 33 | 
 34 | table {
 35 | BORDER: dashed 0px #333;
 36 | BORDER-COLOR: #333333;
 37 | BACKGROUND-COLOR: Black;
 38 | color: #FFF;
 39 | border-collapse: collapse;
 40 | padding: 10px;
 41 | }
 42 | input {
 43 | border : solid 3px ;
 44 | border-color : #333;
 45 | BACKGROUND-COLOR: white;
 46 | font: 11pt Verdana;
 47 | color: #333;
 48 | }
 49 | select {
 50 | BORDER-RIGHT:  Black 1px solid;
 51 | BORDER-TOP:    #DF0000 1px solid;
 52 | BORDER-LEFT:   #DF0000 1px solid;
 53 | BORDER-BOTTOM: Black 1px solid;
 54 | BORDER-color: #FFF;
 55 | BACKGROUND-COLOR: Black;
 56 | font: 8pt Verdana;
 57 | color: Red;
 58 | }
 59 | submit {
 60 | BORDER:  buttonhighlight 2px outset;
 61 | BACKGROUND-COLOR: Black;
 62 | width: 30%;
 63 | color: #FFF;
 64 | }
 65 | textarea {
 66 | border : dashed 2px #333;
 67 | BACKGROUND-COLOR: Black;
 68 | font: Fixedsys bold;
 69 | color: #999;
 70 | }
 71 | BODY {
 72 | SCROLLBAR-FACE-COLOR: Black; SCROLLBAR-HIGHLIGHT-color: #FFF; SCROLLBAR-SHADOW-color: #FFF; SCROLLBAR-3DLIGHT-color: #FFF; SCROLLBAR-ARROW-COLOR: Black; SCROLLBAR-TRACK-color: #FFF; SCROLLBAR-DARKSHADOW-color: #FFF
 73 | margin: 1px;
 74 | color: Red;
 75 | background-color: Black;
 76 | }
 77 | 
 78 | 
 79 | 
 80 | </STYLE>
 81 | '; ?>
 82 | <html>
 83 | <head>
 84 | <?php 
 85 | echo $head ;
 86 | echo '
 87 | 
 88 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
 89 | 
 90 | 
 91 |        <td width="100%" align=center valign="top" rowspan="1">
 92 |            <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ MySQL </font><font color=white size=5 face="comic sans ms"><b> connect </font><font color=green size=5 face="comic sans ms"><b>By IndiShell]]==--</font> <div class="hedr"> 
 93 | 
 94 |         <td height="10" align="left" class="td1"></td></tr><tr><td 
 95 |         width="100%" align="center" valign="top" rowspan="1"><font 
 96 |         color="red" face="comic sans ms"size="1">
 97 |         <font  color=#ff9933> 
 98 |         ##################################################</font><font color=white>###################################################</font><font color=green>##################################################</font><br><font  color=#ff9933 face="comic sans ms">
 99 |         <font 
100 |          color="red" face="comic sans ms"size="1"><br><font color=white >
101 |         --==[[Greetz to]]==--</font><br> <font color=#ff9933>Zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, Local root indishell, Irfninja indishell<br>Reborn India, L0rd Crus4d3r, cool toad, Hackuin, Alicks, Gujjar PCP, Bikash, Dinelson Amine, Th3 D3str0yer, SKSking, rad paul, Godzila, mike waals, zoo zoo, cyber warrior, shafoon, Rehan manzoor<br>cyber gladiator,7he Cre4t0r, Cyber Ace, Golden boy INDIA, Ketan Singh, Yash, Aneesh Dogra, AR AR, saad abbasi, hero, Minhal Mehdi, Raj bhai ji, Hacking queen and rest of TEAM INDISHELL<br>
102 | <font color=white>--==[[Love to]]==--</font><br># My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP,
103 | Mohit, Ffe, Ashish, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)<br>
104 |        </font>
105 |         </font>
106 |          
107 |         <font  color=#ff9933> 
108 |         ##################################################</font><font color=white>###################################################</font><font color=green>##################################################</font>
109 |            </table>
110 |        </table> 
111 | 
112 | '; 
113 | 
114 | ?>
115 | <body bgcolor=black><div align=center><br>
116 | <font color=white size=3 style="comic sans ms">
117 | <table width=30% >
118 | <form method=post>
119 | <tr ><td width=50% align=right style="padding: 10px;"> <font color=#ff9933>Remote Host IP: </td><td width=50% align=center> <font color=#ff9933><input type=text name=host value="127.0.0.1"></td></tr>
120 | <tr><td width=50% align=right> <font color=#ff9933>Username: </td><td width=50% align=center> <font color=#ff9933><input type=text name=uname value=root></td></tr>
121 | <tr><td width=50% align=right> <font color=#ff9933>Password: </td><td width=50% align=center> <font color=#ff9933><input type=text name=pass value=admin123></td></tr>
122 | 
123 | 
124 | </table>
125 | <br>
126 | <input type=submit name=sbmt value="Chal Billu, Ghuma de soda >:D<">
127 | </form>
128 | <br><br>
129 | 
130 | 
131 | <?php
132 | set_time_limit(0);
133 | 
134 | error_reporting(0);
135 | if(isset($_POST['sbmt']))
136 | {
137 | 
138 | $host=trim($_POST['host']);
139 | $uname=trim($_POST['uname']);
140 | $pass=trim($_POST['pass']);
141 | 
142 | 
143 | 
144 | $r=mysqli_connect($host,$uname,$pass);
145 | 
146 | if (mysqli_connect_errno())
147 |   {
148 |   echo  mysqli_connect_error();
149 |   }
150 | 
151 | 
152 | 
153 | }
154 | 
155 | echo "<br>";
156 | ?>
157 | 
158 | <style type="text/css">#cot_tl_fixed{background-color:black;position:fixed;bottom:0px;font-Asize:50px;left:0px;padding:3px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);}</style>
159 | <span style="color: white;">
160 | <div id="cot_tl_fixed"><marquee>Coded By:- 1046 @ IndiShell Lab</marquee></div></span>
161 | 
162 | 


--------------------------------------------------------------------------------
/www/xml_ssrf.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /*coded by Manish Kishan Tanwar @ indishell Lab*/
  4 | 
  5 | echo '
  6 | <title>--==[[ SSRF using XXE Vulnerability ]]==--</title>
  7 | <link href="all.css" rel="stylesheet" type="text/css" />
  8 | <STYLE>
  9 | .side-pan2 {
 10 |    margin: 0;
 11 |    border:0px;
 12 |    
 13 |    width:300px;
 14 |    padding: 5px 23px;
 15 |    margin:0px;
 16 |    -webkit-border-radius: 0px;
 17 |    -moz-border-radius: 0px;
 18 |    border-radius: 0px;
 19 |    border-bottom: 1px solid black;
 20 |    color: white;
 21 |    font-size: 20px;
 22 |    font-family: Georgia, serif;
 23 |    text-decoration: none;
 24 |    vertical-align: left;
 25 |    align:left;
 26 |    }
 27 | </STYLE>
 28 | 
 29 | '; 
 30 | 
 31 | 
 32 | echo '
 33 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.7;border:0px;" >
 34 | 			
 35 |        <td width="100%" align=center valign="top" rowspan="1">
 36 | 	   <font color=#ff9933 size="-2"> 
 37 |         ##########################################</font><font color=white size="-2">#############################################</font><font color=green size="-2">#############################################</font><br>
 38 |            <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ XXE based </font><font color=white size=5 face="comic sans ms"><b>  SSRF Vuln</font><font color=green size=5 face="comic sans ms"><b>erable Code ]]==--</font><br>
 39 | 		   <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[</b> With Love</font><font color=white size=5 face="comic sans ms"><b> From  Team </font><font color=green size=5 face="comic sans ms">IndiShell<b>]]==--</font>
 40 | 		   <div class="hedr"> 
 41 |         <td height="10" align="left" class="td1"></td></tr><tr><td 
 42 |         width="100%" align="center" valign="top" rowspan="1">
 43 | 		<font color=#ff9933 size="-2"> 
 44 |         ##########################################</font><font color=white size="-2">#############################################</font><font color=green size="-2">#############################################</font><br>
 45 | 		<font 
 46 |         color="red" face="comic sans ms"size="1">
 47 |         
 48 | 						
 49 |           
 50 |        </table> 
 51 | '; 
 52 | 
 53 | echo '<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
 54 | 		<tr>
 55 | 		<form method=post action="'.$_SERVER['SCRIPT_NAME'].'">
 56 | 		
 57 | 		<td align=right style="padding:0px; border:0px; margin:0px;" >
 58 | 				<input type=submit name=load value="XML document reader" class="side-pan2">
 59 | 		</td>
 60 | 		</form></tr></table></div></div>
 61 | 				<div id="right"></div><div align=center>';	
 62 | 
 63 | 
 64 | if(isset($_POST['load']))
 65 | 	{
 66 | 	
 67 | 	echo '<table width="30%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
 68 | 			<tr><td align=center style="padding: 10px;" >
 69 | 			<form enctype="multipart/form-data"  method="post" style="align:center">
 70 | 			<input type="hidden" name="MAX_FILE_SIZE" value="2000000" />
 71 | 			Upload xml file below:
 72 | 			<br>
 73 | 			<br>
 74 | 			<input type="file" name="file" />
 75 | 			<br>
 76 | 			<br>
 77 |             <input type="submit" name="upload" value="upload" /></td>
 78 |             </tr>
 79 | 		   </table>
 80 | 		  </form>';
 81 | 
 82 | }
 83 | 
 84 | if(isset($_POST['upload']))
 85 | {
 86 | 
 87 | $xmlfile    = $_FILES['file']['tmp_name'];
 88 | libxml_disable_entity_loader (false);
 89 | 
 90 | $crew= simplexml_load_file($xmlfile, 'SimpleXMLElement', LIBXML_NOENT) or die("Cannot create XML object");
 91 | 
 92 | 
 93 | $crewList  = '<h2 align="center">White Beard Pirate crew members</h2>';
 94 | $crewList .= '<table border="1" align="center" cellspacing="3" cellpadding="0" class="tb1" style="opacity: 0.8;">
 95 |                <tr>
 96 |                   <th>#</th>
 97 |                   <th>Name</th>
 98 |                   <th>Title</th>
 99 |                   <th>Devil Fruit</th>
100 | 				  <th>Power</th>
101 |                 </tr>';
102 | 
103 |     $serial = 1;
104 | 
105 |     foreach ($crew as $bookinfo):
106 | 
107 |         $title  =  $bookinfo->title;
108 |         $name =  $bookinfo->name;
109 |         $fruit  =  $bookinfo->fruit;
110 |     
111 |         $power   =  $bookinfo->power;
112 |     
113 |         $crewList .= "<tr>
114 |                         <td>".$serial."</td>
115 |                         <td>".$title."</td>
116 |                         <td>".$name."</td>
117 |                         <td>".$fruit."</td>
118 |                         <td>".$power."</td>
119 |                     </tr>";
120 | 
121 |         $serial++;
122 | 
123 |     endforeach;
124 | 
125 |     $crewList .= '</table>';
126 | 
127 |     echo $crewList;
128 | 
129 | 	}
130 | ?>
131 | 


--------------------------------------------------------------------------------