Basic SSRF against another back-end system

https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/ssrf-apprentice/ssrf/lab-basic-ssrf-against-backend-system

Description

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

Solution

Every product has a dedicate check function to retrieve if a product is availble or not:

value="http://192.168.0.1:8080/product/stock/check?productId=2&storeId=1"

clicking to "Check stock" button we obtain the number of pieces in stock

We can try to change the stock check URL to access the admin interface inseriting the stockApi value selecting it and updating it into Inspector field at http://192.168.0.1:8080/admin but the page doesn't exists. So, remember that in the lab description was indicated as URL: http://192.168.0.X:8080 we can try to change the x value using Burp Intruder:

as result we obtain a different length response for the value: 157.

Changing it: http://192.168.0.157:8080/adminin this way we're able to access in the admin panel via a SSRF:

and checking into the reponse there're links for deleting users Wiener and Carlos:

The scope of the lab is to delete Carlos user, we can do it inserting the deletion link into stockApi value and solving the lab: