# Lab: SSRF with blacklist-based input filter

We have here the same functionality as the other exercises. A check stock functionality which has a parameter that connects to a internal system. In this case, the tester has to bypass a filter.

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2Fv5A0iZFqfAq981XOTzEF%2Fimage.png?alt=media&#x26;token=3598f657-3056-4d70-9ffb-e8012e13d128" alt=""><figcaption></figcaption></figure>

Checking the stock. throws the following request

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FOqTMy97Pw6Eukpg8DBCQ%2Fimage.png?alt=media&#x26;token=b78482aa-bb6b-4114-99a2-ea469eaf085c" alt=""><figcaption></figcaption></figure>

If we use a basic one, the response  shows us a message error

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FZUKNCSFi4fjkUihj1sJv%2Fimage.png?alt=media&#x26;token=89d000da-4af1-494c-9da5-e141293a7a05" alt=""><figcaption></figcaption></figure>

Let's enum possible bypasses from portswigger: <https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet>

I use the entire list

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2Fg995rJ33laMpfvcWZMrV%2Fimage.png?alt=media&#x26;token=10b51337-8f34-46db-9b0b-f5075c840e32" alt=""><figcaption></figcaption></figure>

And we can see 2 http 200 code

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FqoTO7kd63Yr5lgQAvjLY%2Fimage.png?alt=media&#x26;token=1899e6a5-e469-4071-ae23-9dc31881024d" alt=""><figcaption></figcaption></figure>

The payload is "//127.1" or "//127.0.1"

From there we intercept the request and pass it the payload and we can see the admin panel, and from there deleting the user "carlos"

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FQI1Fpfkz0oR68UKbEMuK%2Fimage.png?alt=media&#x26;token=075230a0-5efc-4a26-91be-9b2bd343f26b" alt=""><figcaption></figcaption></figure>

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2Fp1cboPclQekKttaKRfry%2Fimage.png?alt=media&#x26;token=6bf27e99-7133-47b8-821e-fb699550bf62" alt=""><figcaption></figcaption></figure>

It seems that has another filter...

Let see if we encode "admin" uri

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2F1d9LgsgvAvMhgYUWJYL0%2Fimage.png?alt=media&#x26;token=7310cec6-5705-4c15-aa6b-5b9439b35a7d" alt=""><figcaption></figcaption></figure>

It seems it's not working...

Let's try if double encoding works

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2F8yyjmT5Anx3PfJBYQAm3%2Fimage.png?alt=media&#x26;token=a30a1c26-3914-4d3e-be72-1ae553f37f87" alt=""><figcaption></figcaption></figure>

Yes! It worked. We can see the admin panel where you can delete user "carlos"