> For the complete documentation index, see [llms.txt](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy/server-side-vulnerabilities/server-side-request-forgery-ssrf/basic-ssrf-against-another-back-end-system.md).

# Basic SSRF against another back-end system

## Description

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, use the stock check functionality to scan the internal `192.168.0.X` range for an admin interface on port `8080`, then use it to delete the user `carlos`.

## Solution

<figure><img src="/files/l2ddrsqjnYP8QR9IN5Fr" alt=""><figcaption></figcaption></figure>

Every product has a dedicate check function to retrieve if a product is availble or not:

value="<http://192.168.0.1:8080/product/stock/check?productId=2\\&storeId=1>"

<figure><img src="/files/CySGxyS6DExGqKuUYSOt" alt=""><figcaption></figcaption></figure>

clicking to "Check stock" button we obtain the number of pieces in stock

<figure><img src="/files/HFzU0bwxpWjLuvIKlAeT" alt=""><figcaption></figcaption></figure>

We can try to change the stock check URL to access the admin interface inseriting the stockApi value selecting it and updating it into Inspector field at `http://`192.168.0.1:8080`/admin` but the page doesn't exists. So, remember that in the lab description was indicated as URL: `http://`192.168.0.X:8080 we can try to change the x value using Burp Intruder:

<figure><img src="/files/gQDWyvcOjUP9gICiW56e" alt=""><figcaption></figcaption></figure>

as result we obtain a different length response for the value: 157.

Changing it: `http://192.168.0.157:8080/admini`n this way we're able to access in the admin panel via a SSRF:

<figure><img src="/files/9e9ZiZuX8DTBub0iVpf4" alt=""><figcaption></figcaption></figure>

&#x20;and checking into the reponse there're links for deleting users Wiener and Carlos:

<figure><img src="/files/sm12QpM77ISuHZCvtWGh" alt=""><figcaption></figcaption></figure>

The scope of the lab is to delete Carlos user, we can do it inserting the deletion link into stockApi value and solving the lab:

<figure><img src="/files/fY1exYrJ6gRPasrmbQaw" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/2lWqgTaWCxX0T6Lq7EPZ" alt=""><figcaption></figcaption></figure>
