# Basic SSRF against another back-end system

## Description

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, use the stock check functionality to scan the internal `192.168.0.X` range for an admin interface on port `8080`, then use it to delete the user `carlos`.

## Solution

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2Ficqhh3TfvruwHx5mSyna%2Fimage.png?alt=media&#x26;token=73366101-27a6-4b93-a553-28fac897da39" alt=""><figcaption></figcaption></figure>

Every product has a dedicate check function to retrieve if a product is availble or not:

value="<http://192.168.0.1:8080/product/stock/check?productId=2\\&storeId=1>"

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FUUyPRrWbaHPZ2Qd1eMUz%2Fimage.png?alt=media&#x26;token=e1d58c55-3b82-44d0-b3d2-868a36118ca8" alt=""><figcaption></figcaption></figure>

clicking to "Check stock" button we obtain the number of pieces in stock

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FqdExUvqvYKSvilEdkre5%2Fimage.png?alt=media&#x26;token=6c03c5a8-1650-43e7-9eeb-dc4f98f54e52" alt=""><figcaption></figcaption></figure>

We can try to change the stock check URL to access the admin interface inseriting the stockApi value selecting it and updating it into Inspector field at `http://`192.168.0.1:8080`/admin` but the page doesn't exists. So, remember that in the lab description was indicated as URL: `http://`192.168.0.X:8080 we can try to change the x value using Burp Intruder:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FGAQyELAlOV4qh4meYrCO%2Fimage.png?alt=media&#x26;token=26a40a3b-9e95-4f90-8496-4088dbe64e71" alt=""><figcaption></figcaption></figure>

as result we obtain a different length response for the value: 157.

Changing it: `http://192.168.0.157:8080/admini`n this way we're able to access in the admin panel via a SSRF:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2Fx0RpwHpgODpsLt35ef61%2Fimage.png?alt=media&#x26;token=dc8b8d56-70f9-4411-8df7-cb2cd8bbd469" alt=""><figcaption></figcaption></figure>

&#x20;and checking into the reponse there're links for deleting users Wiener and Carlos:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FettGgRzeTEsWCnADtrmp%2Fimage.png?alt=media&#x26;token=feab127d-1425-456d-83b2-225e93040ca8" alt=""><figcaption></figcaption></figure>

The scope of the lab is to delete Carlos user, we can do it inserting the deletion link into stockApi value and solving the lab:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2F1KL2sAsUTDXoyWyBwSXA%2Fimage.png?alt=media&#x26;token=66f3c084-91f1-4582-8061-81692b764f86" alt=""><figcaption></figcaption></figure>

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FuYJSha13XJs7V5rrsUe3%2Fimage.png?alt=media&#x26;token=efa75f34-b220-475d-85ee-bd9a296d0904" alt=""><figcaption></figcaption></figure>