Blind SSRF → PHP-Info() Disclosure

Hello Folks, in this article let’s see how I got the PHP Info file disclosed via Blind SSRF.

Let’s get Started !! 😉

Firstly, I started with recon as usual.

I found that the application is using Ubuntu Linux with apache running webservers.

I simply opened up the website, and I observed that there is a URL field in the application.

Remember, If you see any URL parameter in the application, don’t miss to find open redirection, XSS, LFI, and SSRF.

There are high chances of getting these bugs in such cases.

Firstly, I tried possible LFI payloads:

Nothing works as expected!

Then I tried possible XSS payload and open redirection.

Again nothing.

Then I opened up my collaborator and generated the payload and pasted it into the URL field.

Suddenly, I got the HTTP request into my collaborator client.

I copied the Origin IP and pasted it into the browser to see the response.

I got some response, which confirms the IP which I received from the collaborator belongs to some webserver.

Immediately, I FUZZ the directory with the Origin IP to see the sensitive files, and surprisingly I got many internal files;

Out of which, PHP-Info() is one of the sensitive files which I got from the FUZZing.

I opened the URL with the /2.php file in the browser, and Boom!

PHP-Info() File is disclosing.

That’s it for this write-up.

Happy Hacking 🥂🥂

Thanks for reading.

Please follow me for more writeups.